Access Approval roles
Permissions
Access Approval Approver
(roles/ accessapproval.approver
)
Ability to view or act on access approval requests and view configuration.
accessapproval.requests.*
accessapproval. serviceAccounts. get
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Config Editor
(roles/ accessapproval.configEditor
)
Ability to update the Access Approval configuration
accessapproval. serviceAccounts. get
accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Invalidator
(roles/ accessapproval.invalidator
)
Ability to invalidate existing approved approval requests
accessapproval. requests. invalidate
accessapproval. serviceAccounts. get
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Viewer
(roles/ accessapproval.viewer
)
Ability to view access approval requests and configuration
accessapproval.requests.get
accessapproval.requests.list
accessapproval. serviceAccounts. get
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager roles
Permissions
Cloud Access Binding Admin
(roles/ accesscontextmanager.gcpAccessAdmin
)
Create, edit, and change Cloud access bindings.
accesscontextmanager. gcpUserAccessBindings.*
Cloud Access Binding Reader
(roles/ accesscontextmanager.gcpAccessReader
)
Read access to Cloud access bindings.
accesscontextmanager. gcpUserAccessBindings. get
accesscontextmanager. gcpUserAccessBindings. list
Access Context Manager Admin
(roles/ accesscontextmanager.policyAdmin
)
Full access to policies, access levels, access zones and authorized orgs descs.
accesscontextmanager. accessLevels.*
accesscontextmanager. authorizedOrgsDescs.*
accesscontextmanager. policies.*
accesscontextmanager. servicePerimeters.*
cloudasset. assets. searchAllResources
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Editor
(roles/ accesscontextmanager.policyEditor
)
Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.
accesscontextmanager. accessLevels.*
accesscontextmanager. authorizedOrgsDescs.*
accesscontextmanager. policies. create
accesscontextmanager. policies. delete
accesscontextmanager. policies. get
accesscontextmanager. policies. getIamPolicy
accesscontextmanager. policies. list
accesscontextmanager. policies. update
accesscontextmanager. servicePerimeters.*
cloudasset. assets. searchAllResources
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Reader
(roles/ accesscontextmanager.policyReader
)
Read access to policies, access levels, access zones and authorized orgs descs.
accesscontextmanager. accessLevels. get
accesscontextmanager. accessLevels. list
accesscontextmanager. authorizedOrgsDescs. get
accesscontextmanager. authorizedOrgsDescs. list
accesscontextmanager. policies. get
accesscontextmanager. policies. getIamPolicy
accesscontextmanager. policies. list
accesscontextmanager. servicePerimeters. get
accesscontextmanager. servicePerimeters. list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer
(roles/ accesscontextmanager.vpcScTroubleshooterViewer
)
accesscontextmanager. accessLevels. get
accesscontextmanager. accessLevels. list
accesscontextmanager. authorizedOrgsDescs. get
accesscontextmanager. authorizedOrgsDescs. list
accesscontextmanager. policies. get
accesscontextmanager. policies. getIamPolicy
accesscontextmanager. policies. list
accesscontextmanager. servicePerimeters. get
accesscontextmanager. servicePerimeters. list
logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.get
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Actions roles
Permissions
Actions Admin
(roles/ actions.Admin
)
Access to edit and deploy an action
actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Actions Viewer
(roles/ actions.Viewer
)
Access to view an action
actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
AI Notebooks roles
Permissions
Notebooks Admin
(roles/ notebooks.admin
)
Full access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
aiplatform. notebookExecutionJobs.*
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.futureReservations.get
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. get
compute. networkEdgeSecurityServices. list
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute. organizations. listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicAdvertisedPrefixes. get
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Legacy Admin
(roles/ notebooks.legacyAdmin
)
Full access to Notebooks all resources through compute API.
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Legacy Viewer
(roles/ notebooks.legacyViewer
)
Read-only access to Notebooks all resources through compute API.
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.futureReservations.get
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. get
compute. networkEdgeSecurityServices. list
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute. organizations. listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicAdvertisedPrefixes. get
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks. environments. getIamPolicy
notebooks.environments.list
notebooks.executions.get
notebooks. executions. getIamPolicy
notebooks.executions.list
notebooks. instances. checkUpgradability
notebooks.instances.get
notebooks.instances.getHealth
notebooks. instances. getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks. runtimes. getIamPolicy
notebooks.runtimes.list
notebooks.schedules.get
notebooks. schedules. getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Runner
(roles/ notebooks.runner
)
Restricted access for running scheduled Notebooks.
aiplatform. notebookExecutionJobs.*
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.futureReservations.get
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. get
compute. networkEdgeSecurityServices. list
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute. organizations. listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicAdvertisedPrefixes. get
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks. environments. getIamPolicy
notebooks.environments.list
notebooks.executions.create
notebooks.executions.get
notebooks. executions. getIamPolicy
notebooks.executions.list
notebooks. instances. checkUpgradability
notebooks.instances.create
notebooks.instances.get
notebooks.instances.getHealth
notebooks. instances. getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.create
notebooks.runtimes.get
notebooks. runtimes. getIamPolicy
notebooks.runtimes.list
notebooks.schedules.create
notebooks.schedules.get
notebooks. schedules. getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Viewer
(roles/ notebooks.viewer
)
Read-only access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
aiplatform. notebookExecutionJobs. get
aiplatform. notebookExecutionJobs. list
aiplatform.schedules.get
aiplatform.schedules.list
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.futureReservations.get
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. get
compute. networkEdgeSecurityServices. list
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute. organizations. listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicAdvertisedPrefixes. get
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks. environments. getIamPolicy
notebooks.environments.list
notebooks.executions.get
notebooks. executions. getIamPolicy
notebooks.executions.list
notebooks. instances. checkUpgradability
notebooks.instances.get
notebooks.instances.getHealth
notebooks. instances. getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks. runtimes. getIamPolicy
notebooks.runtimes.list
notebooks.schedules.get
notebooks. schedules. getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Permissions
AI Platform Admin
(roles/ ml.admin
)
Provides full access to AI Platform resources, and its jobs,
operations, models, and versions.
Lowest-level resources where you can grant this role:
ml.*
resourcemanager.projects.get
AI Platform Developer
(roles/ ml.developer
)
Provides ability to use AI Platform resources for creating models,
versions, jobs for training and prediction, and sending online prediction
requests.
Lowest-level resources where you can grant this role:
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.*
ml.trials.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
AI Platform Job Owner
(roles/ ml.jobOwner
)
Provides full access to all permissions for a particular job resource. This
role is automatically granted to the user who creates the job.
Lowest-level resources where you can grant this role:
ml.jobs.*
AI Platform Model Owner
(roles/ ml.modelOwner
)
Provides full access to the model and its versions. This role is
automatically granted to the user who creates the model.
Lowest-level resources where you can grant this role:
ml.models.*
ml.versions.*
AI Platform Model User
(roles/ ml.modelUser
)
Provides permissions to read the model and its versions, and use them for
prediction.
Lowest-level resources where you can grant this role:
ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
AI Platform Operation Owner
(roles/ ml.operationOwner
)
Provides full access to all permissions for a particular operation resource.
Lowest-level resources where you can grant this role:
ml.operations.*
AI Platform Viewer
(roles/ ml.viewer
)
Provides read-only access to AI Platform resources.
Lowest-level resources where you can grant this role:
ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.trials.get
ml.trials.list
ml.versions.get
ml.versions.list
resourcemanager.projects.get
Analytics Hub roles
Permissions
Analytics Hub Admin
(roles/ analyticshub.admin
)
Administer Data Exchanges and Listings
analyticshub. dataExchanges. create
analyticshub. dataExchanges. delete
analyticshub.dataExchanges.get
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub. dataExchanges. setIamPolicy
analyticshub. dataExchanges. update
analyticshub. dataExchanges. viewSubscriptions
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub. listings. getIamPolicy
analyticshub.listings.list
analyticshub. listings. setIamPolicy
analyticshub.listings.update
analyticshub. listings. viewSubscriptions
analyticshub.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Listing Admin
(roles/ analyticshub.listingAdmin
)
Grants full control over the Listing, including updating, deleting and setting ACLs
analyticshub.dataExchanges.get
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub.listings.delete
analyticshub.listings.get
analyticshub. listings. getIamPolicy
analyticshub.listings.list
analyticshub. listings. setIamPolicy
analyticshub.listings.update
analyticshub. listings. viewSubscriptions
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Publisher
(roles/ analyticshub.publisher
)
Can publish to Data Exchanges thus creating Listings
analyticshub.dataExchanges.get
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub.listings.create
analyticshub.listings.get
analyticshub. listings. getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Subscriber
(roles/ analyticshub.subscriber
)
Can browse Data Exchanges and subscribe to Listings
analyticshub.dataExchanges.get
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub. dataExchanges. subscribe
analyticshub.listings.get
analyticshub. listings. getIamPolicy
analyticshub.listings.list
analyticshub. listings. subscribe
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Subscription Owner
(roles/ analyticshub.subscriptionOwner
)
Grants full control over the Subscription, including updating and deleting
analyticshub.dataExchanges.get
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub.listings.get
analyticshub. listings. getIamPolicy
analyticshub.listings.list
analyticshub.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Viewer
(roles/ analyticshub.viewer
)
Can browse Data Exchanges and Listings
analyticshub.dataExchanges.get
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub.listings.get
analyticshub. listings. getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Android Management roles
Permissions
Android Management User
(roles/ androidmanagement.user
)
Full access to manage devices.
androidmanagement. enterprises. manage
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Anthos Multi-cloud roles
Permissions
Anthos Multi-cloud Admin
(roles/ gkemulticloud.admin
)
Admin access to Anthos Multi-cloud resources.
gkemulticloud.*
resourcemanager.projects.get
resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer
(roles/ gkemulticloud.telemetryWriter
)
Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
opsconfigmonitoring. resourceMetadata. write
Anthos Multi-cloud Viewer
(roles/ gkemulticloud.viewer
)
Viewer access to Anthos Multi-cloud resources.
gkemulticloud. attachedClusters. generateInstallManifest
gkemulticloud. attachedClusters. get
gkemulticloud. attachedClusters. list
gkemulticloud. attachedServerConfigs. get
gkemulticloud. awsClusters. generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.get
gkemulticloud. awsNodePools. list
gkemulticloud. awsServerConfigs. get
gkemulticloud.azureClients.get
gkemulticloud. azureClients. list
gkemulticloud. azureClusters. generateAccessToken
gkemulticloud. azureClusters. get
gkemulticloud. azureClusters. list
gkemulticloud. azureNodePools. get
gkemulticloud. azureNodePools. list
gkemulticloud. azureServerConfigs. get
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
API Gateway roles
Permissions
ApiGateway Admin
(roles/ apigateway.admin
)
Full access to ApiGateway and related resources.
apigateway.*
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors. get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.get
serviceusage.services.list
ApiGateway Viewer
(roles/ apigateway.viewer
)
Read-only access to ApiGateway and related resources.
apigateway.apiconfigs.get
apigateway. apiconfigs. getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway. gateways. getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors. get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.get
serviceusage.services.list
Apigee roles
Permissions
Apigee Organization Admin
(roles/ apigee.admin
)
Full access to all apigee resource features
apigee.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Apigee Analytics Agent
(roles/ apigee.analyticsAgent
)
Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization
apigee.datalocation.get
apigee. environments. getDataLocation
apigee.runtimeconfigs.get
Apigee Analytics Editor
(roles/ apigee.analyticsEditor
)
Analytics editor for an Apigee Organization
apigee.datacollectors.*
apigee.datastores.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.queries.*
apigee.reports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Analytics Viewer
(roles/ apigee.analyticsViewer
)
Analytics viewer for an Apigee Organization
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datastores.get
apigee.datastores.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.queries.get
apigee.queries.list
apigee.reports.get
apigee.reports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Admin
(roles/ apigee.apiAdminV2
)
Full read/write access to all apigee API resources
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.deployments.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Reader
(roles/ apigee.apiReaderV2
)
Reader of apigee resources
apigee. apiproductattributes. get
apigee. apiproductattributes. list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee. sharedflowrevisions. deploy
apigee.sharedflowrevisions.get
apigee. sharedflowrevisions. list
apigee. sharedflowrevisions. undeploy
apigee.sharedflows.get
apigee.sharedflows.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Deployment Invoker
(roles/ apigee.deploymentInvoker
)
Invoker of deployments in the apigee runtime
apigee.deployments.invoke
Apigee Developer Admin
(roles/ apigee.developerAdmin
)
Developer admin of apigee resources
apigee. apiproductattributes. get
apigee. apiproductattributes. list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.*
apigee.appgroups.*
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee. developerappattributes.*
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee. developermonetizationconfigs.*
apigee.developers.*
apigee. developersubscriptions.*
apigee.entitlements.get
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.rateplans.get
apigee.rateplans.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Apigee Environment Admin
(roles/ apigee.environmentAdmin
)
Full read/write access to apigee environment resources, including deployments.
apigee.addonsconfig.*
apigee.archivedeployments.*
apigee.datacollectors.get
apigee.datacollectors.list
apigee.deployments.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee. environments. getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee. environments. setIamPolicy
apigee.environments.update
apigee.flowhooks.*
apigee.ingressconfigs.get
apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.references.*
apigee.resourcefiles.*
apigee. sharedflowrevisions. deploy
apigee.sharedflowrevisions.get
apigee. sharedflowrevisions. list
apigee. sharedflowrevisions. undeploy
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.*
apigee.traceconfig.*
apigee.traceconfigoverrides.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Apigee Monetization Admin
(roles/ apigee.monetizationAdmin
)
All permissions related to monetization
apigee.apiproducts.get
apigee.apiproducts.list
apigee.developerbalances.*
apigee. developermonetizationconfigs.*
apigee. developersubscriptions.*
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.rateplans.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Portal Admin
(roles/ apigee.portalAdmin
)
Portal admin for an Apigee Organization
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee.portals.*
apigee. projectorganizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Read-only Admin
(roles/ apigee.readOnlyAdmin
)
Viewer of all apigee resources
apigee.addonsconfig.get
apigee. apiproductattributes. get
apigee. apiproductattributes. list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroups.get
apigee.appgroups.list
apigee.appkeys.get
apigee.apps.*
apigee. archivedeployments. download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.caches.list
apigee.canaryevaluations.get
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datalocation.get
apigee.datastores.get
apigee.datastores.list
apigee.deployments.get
apigee.deployments.list
apigee. developerappattributes. get
apigee. developerappattributes. list
apigee.developerapps.get
apigee.developerapps.list
apigee.developerattributes.get
apigee. developerattributes. list
apigee.developerbalances.get
apigee. developermonetizationconfigs. get
apigee.developers.get
apigee.developers.list
apigee. developersubscriptions. get
apigee. developersubscriptions. list
apigee.endpointattachments.get
apigee. endpointattachments. list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee. environments. getDataLocation
apigee. environments. getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hostsecurityreports.get
apigee. hostsecurityreports. list
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.get
apigee. instanceattachments. list
apigee.instances.get
apigee.instances.list
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.nataddresses.get
apigee.nataddresses.list
apigee.operations.*
apigee.organizations.get
apigee.organizations.list
apigee.portals.get
apigee.portals.list
apigee. projectorganizations. get
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.queries.get
apigee.queries.list
apigee.rateplans.get
apigee.rateplans.list
apigee.references.get
apigee.references.list
apigee.reports.get
apigee.reports.list
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.runtimeconfigs.get
apigee.securityActions.get
apigee.securityActions.list
apigee. securityActionsConfig. get
apigee. securityAssessmentResults. compute
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee. securityProfileEnvironments. computeScore
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
apigee.setupcontexts.get
apigee.sharedflowrevisions.get
apigee. sharedflowrevisions. list
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.get
apigee.targetservers.list
apigee.traceconfig.get
apigee. traceconfigoverrides. get
apigee. traceconfigoverrides. list
apigee.tracesessions.get
apigee.tracesessions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Apigee Runtime Agent
(roles/ apigee.runtimeAgent
)
Curated set of permissions for a runtime agent to access Apigee Organization resources
apigee.canaryevaluations.*
apigee.entitlements.get
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee. projectorganizations. get
apigee.runtimeconfigs.get
Apigee Security Admin
(roles/ apigee.securityAdmin
)
Security admin for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.*
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.securityActions.*
apigee.securityActionsConfig.*
apigee. securityAssessmentResults. compute
apigee.securityFeedback.*
apigee.securityIncidents.*
apigee. securityProfileEnvironments.*
apigee.securityProfiles.*
apigee.securityProfilesV2.*
apigee.securitySettings.*
apigee.securityStats.*
apigee.securityreports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Security Viewer
(roles/ apigee.securityViewer
)
Security viewer for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee. envgroupattachments. list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.get
apigee. hostsecurityreports. list
apigee.organizations.get
apigee.organizations.list
apigee. projectorganizations. get
apigee.securityActions.get
apigee.securityActions.list
apigee. securityActionsConfig. get
apigee. securityAssessmentResults. compute
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee. securityProfileEnvironments. computeScore
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Synchronizer Manager
(roles/ apigee.synchronizerManager
)
Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization
apigee.environments.get
apigee. environments. manageRuntime
apigee.ingressconfigs.get
Apigee Connect Admin
(roles/ apigeeconnect.Admin
)
Admin of Apigee Connect
apigeeconnect.connections.list
Apigee Connect Agent
(roles/ apigeeconnect.Agent
)
Ability to set up Apigee Connect agent between external clusters and Google.
apigeeconnect. endpoints. connect
Apigee Registry roles
Permissions
Cloud Apigee Registry Admin
Beta
(roles/ apigeeregistry.admin
)
Full access to Cloud Apigee Registry Registry and Runtime resources.
apigeeregistry.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Editor
Beta
(roles/ apigeeregistry.editor
)
Edit access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry. apis. getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry. artifacts. create
apigeeregistry. artifacts. delete
apigeeregistry.artifacts.get
apigeeregistry. artifacts. getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry. artifacts. update
apigeeregistry.deployments.*
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry. specs. getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry. versions. getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Viewer
Beta
(roles/ apigeeregistry.viewer
)
Read-only access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.deployments.get
apigeeregistry. deployments. list
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.versions.get
apigeeregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Worker
Beta
(roles/ apigeeregistry.worker
)
The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry. artifacts. create
apigeeregistry. artifacts. delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry. artifacts. update
apigeeregistry.deployments.get
apigeeregistry. deployments. list
apigeeregistry. deployments. update
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine roles
Permissions
App Engine Admin
(roles/ appengine.appAdmin
)
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser
) role on the assigned App Engine
service account , and the Cloud Build Editor
(roles/cloudbuild.builds.editor
), and Cloud Storage Object Admin
(roles/storage.objectAdmin
) roles on the project.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine. applications. listRuntimes
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry. projectsettings. get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/ appengine.appCreator
)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/ appengine.appViewer
)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine. applications. listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
artifactregistry. projectsettings. get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/ appengine.codeViewer
)
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine. applications. listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine. versions. getFileContents
appengine.versions.list
artifactregistry. projectsettings. get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Managed VM Debug Access
(roles/ appengine.debugger
)
Ability to read or manage v2 instances.
appengine.applications.get
appengine. applications. listRuntimes
appengine.instances.*
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/ appengine.deployer
)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser
) role on the assigned App Engine
service account , and the Cloud
Build Editor (roles/cloudbuild.builds.editor
), and Cloud Storage Object Admin
(roles/storage.objectAdmin
) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine. applications. listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry. projectsettings. get
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. uploadArtifacts
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Memcache Data Admin
(roles/ appengine.memcacheDataAdmin
)
Can get, set, delete, and flush App Engine Memcache items.
appengine.applications.get
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/ appengine.serviceAdmin
)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine. applications. listRuntimes
appengine.instances.delete
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry. projectsettings. get
resourcemanager.projects.get
resourcemanager.projects.list
Artifact Registry roles
Permissions
Artifact Registry Administrator
(roles/ artifactregistry.admin
)
Administrator access to create and manage repositories.
artifactregistry. aptartifacts. create
artifactregistry.attachments.*
artifactregistry. dockerimages.*
artifactregistry.files.*
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry. projectsettings.*
artifactregistry. pythonpackages.*
artifactregistry. repositories. create
artifactregistry. repositories. createTagBinding
artifactregistry. repositories. delete
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. deleteTagBinding
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. getIamPolicy
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. setIamPolicy
artifactregistry. repositories. update
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry. yumartifacts. create
Container Registry -> Artifact Registry Migration Admin
(roles/ artifactregistry.containerRegistryMigrationAdmin
)
Access to run migration tooling to migrate from Container Registry to Artifact Registry
artifactregistry. projectsettings.*
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. getIamPolicy
artifactregistry. repositories. list
artifactregistry. repositories. setIamPolicy
artifactregistry. repositories. uploadArtifacts
cloudasset. assets. analyzeIamPolicy
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
iam.roles.get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
serviceusage.services.use
storage.objects.list
Artifact Registry Create-on-Push Repository Administrator
(roles/ artifactregistry.createOnPushRepoAdmin
)
Access to manage artifacts in repositories, as well as create new repositories on push
artifactregistry. aptartifacts. create
artifactregistry.attachments.*
artifactregistry. dockerimages.*
artifactregistry.files.*
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. createOnPush
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry. yumartifacts. create
Artifact Registry Create-on-Push Writer
(roles/ artifactregistry.createOnPushWriter
)
Access to read and write repository items, as well as create new repositories on push
artifactregistry. aptartifacts. create
artifactregistry. attachments. create
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. packages. update
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. createOnPush
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry. yumartifacts. create
Artifact Registry Reader
(roles/ artifactregistry.reader
)
Access to read repository items.
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
Artifact Registry Repository Administrator
(roles/ artifactregistry.repoAdmin
)
Access to manage artifacts in repositories.
artifactregistry. aptartifacts. create
artifactregistry.attachments.*
artifactregistry. dockerimages.*
artifactregistry.files.*
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry. yumartifacts. create
Artifact Registry Writer
(roles/ artifactregistry.writer
)
Access to read and write repository items.
artifactregistry. aptartifacts. create
artifactregistry. attachments. create
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. packages. update
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry. yumartifacts. create
Assured Workloads roles
Permissions
Assured Workloads Administrator
(roles/ assuredworkloads.admin
)
Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
axt.labels.set
bigquery.config.update
logging.settings.update
orgpolicy.policies.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager. projects. create
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Editor
(roles/ assuredworkloads.editor
)
Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
axt.labels.set
bigquery.config.update
logging.settings.update
orgpolicy.policies.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager. projects. create
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Reader
(roles/ assuredworkloads.reader
)
Grants read access to all Assured Workloads resources and CRM resources - project/folder
assuredworkloads.operations.*
assuredworkloads.updates.list
assuredworkloads. violations. get
assuredworkloads. violations. list
assuredworkloads.workload.get
assuredworkloads.workload.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
AutoML roles
Permissions
AutoML Admin
Beta
(roles/ automl.admin
)
Full access to all AutoML resources
Lowest-level resources where you can grant this role:
automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
AutoML Editor
Beta
(roles/ automl.editor
)
Editor of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.files.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
AutoML Predictor
Beta
(roles/ automl.predictor
)
Predict using models
Lowest-level resources where you can grant this role:
automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
AutoML Viewer
Beta
(roles/ automl.viewer
)
Viewer of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl. humanAnnotationTasks. get
automl. humanAnnotationTasks. list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Backup and DR roles
Permissions
Backup and DR Admin
(roles/ backupdr.admin
)
Provides full access to all Backup and DR resources.
backupdr. backupPlanAssociations.*
backupdr.backupPlans.*
backupdr.backupVaults.*
backupdr.bvbackups.*
backupdr.bvdataSources.*
backupdr. compute. restoreFromBackupVault
backupdr.locations.*
backupdr.managementServers.*
backupdr.operations.*
backupdr. serviceConfig. initialize
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Backup Config Viewer
Beta
(roles/ backupdr.backupConfigViewer
)
Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.
backupdr. resourceBackupConfigs.*
Backup and DR Backup User
(roles/ backupdr.backupUser
)
Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.
backupdr. backupPlanAssociations.*
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.locations.*
backupdr. managementServers. access
backupdr. managementServers. assignBackupPlans
backupdr. managementServers. createDynamicProtection
backupdr. managementServers. deleteDynamicProtection
backupdr.managementServers.get
backupdr. managementServers. getDynamicProtection
backupdr. managementServers. list
backupdr. managementServers. listDynamicProtection
backupdr. managementServers. manageApplications
backupdr. managementServers. manageBackups
backupdr. managementServers. manageHosts
backupdr. managementServers. viewBackupPlans
backupdr. managementServers. viewReports
backupdr. managementServers. viewStorage
backupdr. managementServers. viewSystem
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Backup Vault Accessor
(roles/ backupdr.backupvaultAccessor
)
Allows the Backup Appliance permissions to create and manage backups in a backup vault.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.delete
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.update
backupdr.bvdataSources.*
backupdr.operations.*
Backup and DR Backup Vault Admin
(roles/ backupdr.backupvaultAdmin
)
Allows the Backup Appliance full administrative control of backup vault resources.
backupdr.backupVaults.*
backupdr.bvbackups.*
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.bvdataSources.update
backupdr. compute. restoreFromBackupVault
backupdr.locations.*
backupdr.operations.*
Backup and DR Backup Vault Lister
(roles/ backupdr.backupvaultLister
)
Allows the Backup Appliance permission to list backup vaults in a given project.
backupdr.backupVaults.list
Backup and DR Backup Vault Viewer
(roles/ backupdr.backupvaultViewer
)
Allows read-only permissions to access backup vault resources and backups.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.operations.get
backupdr.operations.list
Backup and DR Cloud Storage Operator
(roles/ backupdr.cloudStorageOperator
)
Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Backup and DR Compute Engine Operator
(roles/ backupdr.computeEngineOperator
)
Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.
backupdr. managementServers. createConnection
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. pscInterfaceCreate
compute. instances. setDeletionProtection
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute. instances. updateDisplayDevice
compute.instances.useReadOnly
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.resourcePolicies.use
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Management Server Accessor
Beta
(roles/ backupdr.managementServerAccessor
)
Grants the Backup and DR management server access role to Backup Appliances.
backupdr. managementServers. createConnection
Backup and DR Mount User
(roles/ backupdr.mountUser
)
Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.
backupdr.locations.*
backupdr. managementServers. access
backupdr.managementServers.get
backupdr. managementServers. getDynamicProtection
backupdr. managementServers. list
backupdr. managementServers. listDynamicProtection
backupdr. managementServers. manageApplications
backupdr. managementServers. manageClones
backupdr. managementServers. manageHosts
backupdr. managementServers. manageLiveClones
backupdr. managementServers. manageMirroring
backupdr. managementServers. manageMounts
backupdr. managementServers. manageWorkflows
backupdr. managementServers. refreshWorkflows
backupdr. managementServers. runWorkflows
backupdr. managementServers. viewBackupPlans
backupdr. managementServers. viewReports
backupdr. managementServers. viewStorage
backupdr. managementServers. viewSystem
backupdr. managementServers. viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Restore User
(roles/ backupdr.restoreUser
)
Allows the user to restore or mount from a backup. This role cannot create a backup plan.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr. compute. restoreFromBackupVault
backupdr.locations.*
backupdr. managementServers. access
backupdr.managementServers.get
backupdr. managementServers. getDynamicProtection
backupdr. managementServers. list
backupdr. managementServers. listDynamicProtection
backupdr. managementServers. manageApplications
backupdr. managementServers. manageClones
backupdr. managementServers. manageHosts
backupdr. managementServers. manageLiveClones
backupdr. managementServers. manageMigrations
backupdr. managementServers. manageMirroring
backupdr. managementServers. manageMounts
backupdr. managementServers. manageRestores
backupdr. managementServers. manageWorkflows
backupdr. managementServers. refreshWorkflows
backupdr. managementServers. runWorkflows
backupdr. managementServers. testFailOvers
backupdr. managementServers. viewBackupPlans
backupdr. managementServers. viewReports
backupdr. managementServers. viewStorage
backupdr. managementServers. viewSystem
backupdr. managementServers. viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User
(roles/ backupdr.user
)
Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. managementServers. access
backupdr. managementServers. backupAccess
backupdr.managementServers.get
backupdr. managementServers. getDynamicProtection
backupdr. managementServers. getIamPolicy
backupdr. managementServers. list
backupdr. managementServers. listDynamicProtection
backupdr. managementServers. viewBackupPlans
backupdr. managementServers. viewBackupServers
backupdr. managementServers. viewReports
backupdr. managementServers. viewStorage
backupdr. managementServers. viewSystem
backupdr. managementServers. viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User V2
(roles/ backupdr.userv2
)
Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.
backupdr. backupPlanAssociations.*
backupdr.backupPlans.*
backupdr. backupVaults. associate
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr. compute. restoreFromBackupVault
backupdr.locations.*
backupdr. managementServers. access
backupdr. managementServers. assignBackupPlans
backupdr. managementServers. backupAccess
backupdr. managementServers. createDynamicProtection
backupdr. managementServers. deleteDynamicProtection
backupdr.managementServers.get
backupdr. managementServers. getDynamicProtection
backupdr. managementServers. getIamPolicy
backupdr. managementServers. list
backupdr. managementServers. listDynamicProtection
backupdr. managementServers. manageApplications
backupdr. managementServers. manageBackupPlans
backupdr. managementServers. manageBackups
backupdr. managementServers. manageClones
backupdr. managementServers. manageHosts
backupdr. managementServers. manageJobs
backupdr. managementServers. manageLiveClones
backupdr. managementServers. manageMigrations
backupdr. managementServers. manageMirroring
backupdr. managementServers. manageMounts
backupdr. managementServers. manageRestores
backupdr. managementServers. manageWorkflows
backupdr. managementServers. refreshWorkflows
backupdr. managementServers. runWorkflows
backupdr. managementServers. testFailOvers
backupdr. managementServers. viewBackupPlans
backupdr. managementServers. viewBackupServers
backupdr. managementServers. viewReports
backupdr. managementServers. viewStorage
backupdr. managementServers. viewSystem
backupdr. managementServers. viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Viewer
(roles/ backupdr.viewer
)
Provides read-only access to all Backup and DR resources.
backupdr. backupPlanAssociations. get
backupdr. backupPlanAssociations. list
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.locations.*
backupdr. managementServers. access
backupdr. managementServers. backupAccess
backupdr.managementServers.get
backupdr. managementServers. getDynamicProtection
backupdr. managementServers. getIamPolicy
backupdr. managementServers. list
backupdr. managementServers. listDynamicProtection
backupdr. managementServers. viewBackupPlans
backupdr. managementServers. viewBackupServers
backupdr. managementServers. viewReports
backupdr. managementServers. viewStorage
backupdr. managementServers. viewSystem
backupdr. managementServers. viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE roles
Permissions
Backup for GKE Admin
(roles/ gkebackup.admin
)
Full access to all Backup for GKE resources.
gkebackup.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Backup Admin
(roles/ gkebackup.backupAdmin
)
Allows administrators to manage all BackupPlan and Backup resources.
gkebackup.backupPlans.*
gkebackup.backups.*
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.volumeBackups.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Delegated Backup Admin
(roles/ gkebackup.delegatedBackupAdmin
)
Allows administrators to manage Backup resources for specific BackupPlans
gkebackup.backupPlans.get
gkebackup.backups.*
gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin
(roles/ gkebackup.delegatedRestoreAdmin
)
Allows administrators to manage Restore resources for specific RestorePlans
gkebackup.restorePlans.get
gkebackup.restores.*
gkebackup.volumeRestores.*
Backup for GKE Restore Admin
(roles/ gkebackup.restoreAdmin
)
Allows administrators to manage all RestorePlan and Restore resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup. backups. getBackupIndex
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.*
gkebackup.restores.*
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Viewer
(roles/ gkebackup.viewer
)
Read-only access to all Backup for GKE resources.
gkebackup.backupPlans.get
gkebackup. backupPlans. getIamPolicy
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup. backups. getBackupIndex
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.get
gkebackup. restorePlans. getIamPolicy
gkebackup.restorePlans.list
gkebackup.restores.get
gkebackup.restores.list
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Permissions
(roles/ baremetalsolution.admin
)
Administrator of Bare Metal Solution resources
baremetalsolution. instancequotas. list
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution. maintenanceevents.*
baremetalsolution. networkquotas. list
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution. operations. get
baremetalsolution. osimages. list
baremetalsolution.pods.list
baremetalsolution. procurements. get
baremetalsolution. procurements. list
baremetalsolution.skus.list
baremetalsolution. snapshotschedulepolicies.*
baremetalsolution.sshKeys.*
baremetalsolution. storageaggregatepools. list
baremetalsolution. volumequotas. list
baremetalsolution.volumes.*
baremetalsolution. volumesnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ baremetalsolution.editor
)
Editor of Bare Metal Solution resources
baremetalsolution. instancequotas. list
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution. maintenanceevents.*
baremetalsolution. networkquotas. list
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution. operations. get
baremetalsolution. osimages. list
baremetalsolution.pods.list
baremetalsolution. procurements. get
baremetalsolution. procurements. list
baremetalsolution.skus.list
baremetalsolution. snapshotschedulepolicies.*
baremetalsolution.sshKeys.*
baremetalsolution. storageaggregatepools. list
baremetalsolution. volumequotas. list
baremetalsolution.volumes.*
baremetalsolution. volumesnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ baremetalsolution.instancesadmin
)
Admin of Bare Metal Solution Instance resources
baremetalsolution.instances.*
baremetalsolution. operations. get
baremetalsolution. osimages. list
baremetalsolution.pods.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ baremetalsolution.instancesviewer
)
Viewer of Bare Metal Solution Instance resources
baremetalsolution. instancequotas. list
baremetalsolution. instances. get
baremetalsolution. instances. list
baremetalsolution. operations. get
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ baremetalsolution.lunsadmin
)
Administrator of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution. operations. get
(roles/ baremetalsolution.lunsviewer
)
Viewer of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution. operations. get
Maintenance Events Admin
(roles/ baremetalsolution.maintenanceeventsadmin
)
Administrator of Bare Metal Solution maintenance events resources
baremetalsolution. maintenanceevents.*
Maintenance Events Editor
(roles/ baremetalsolution.maintenanceeventseditor
)
Editor of Bare Metal Solution maintenance events resources
baremetalsolution. maintenanceevents.*
Maintenance Events Viewer
(roles/ baremetalsolution.maintenanceeventsviewer
)
Viewer of Bare Metal Solution maintenance events resources
baremetalsolution. maintenanceevents. get
baremetalsolution. maintenanceevents. list
(roles/ baremetalsolution.networksadmin
)
Admin of Bare Metal Solution networks resources
baremetalsolution. networkquotas. list
baremetalsolution.networks.*
baremetalsolution. operations. get
baremetalsolution.pods.list
(roles/ baremetalsolution.nfssharesadmin
)
Administrator of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution. operations. get
baremetalsolution.pods.list
(roles/ baremetalsolution.nfsshareseditor
)
Editor of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution. operations. get
baremetalsolution.pods.list
(roles/ baremetalsolution.nfssharesviewer
)
Viewer of Bare Metal Solution NFS Share resources
baremetalsolution. nfsshares. get
baremetalsolution. nfsshares. list
baremetalsolution. operations. get
(roles/ baremetalsolution.osimagesviewer
)
Viewer of Bare Metal Solution OS images resources
baremetalsolution. osimages. list
(roles/ baremetalsolution.procurementsadmin
)
Administrator of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution. procurements.*
baremetalsolution.skus.list
(roles/ baremetalsolution.procurementseditor
)
Editor of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution. procurements.*
baremetalsolution.skus.list
(roles/ baremetalsolution.procurementsviewer
)
Viewer of Bare Metal Solution Procurements
baremetalsolution. procurements. get
baremetalsolution. procurements. list
baremetalsolution.skus.list
(roles/ baremetalsolution.storageadmin
)
Administrator of Bare Metal Solution storage resources
baremetalsolution.luns.*
baremetalsolution.nfsshares.*
baremetalsolution. operations. get
baremetalsolution.pods.list
baremetalsolution. snapshotschedulepolicies.*
baremetalsolution. storageaggregatepools. list
baremetalsolution. volumequotas. list
baremetalsolution.volumes.*
baremetalsolution. volumesnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ baremetalsolution.viewer
)
Viewer of Bare Metal Solution resources
baremetalsolution. instancequotas. list
baremetalsolution. instances. get
baremetalsolution. instances. list
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution. maintenanceevents. get
baremetalsolution. maintenanceevents. list
baremetalsolution. networkquotas. list
baremetalsolution.networks.get
baremetalsolution. networks. list
baremetalsolution. nfsshares. get
baremetalsolution. nfsshares. list
baremetalsolution. operations. get
baremetalsolution. osimages. list
baremetalsolution.pods.list
baremetalsolution. procurements. get
baremetalsolution. procurements. list
baremetalsolution.skus.list
baremetalsolution. snapshotschedulepolicies. get
baremetalsolution. snapshotschedulepolicies. list
baremetalsolution.sshKeys.list
baremetalsolution. storageaggregatepools. list
baremetalsolution. volumequotas. list
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution. volumesnapshots. get
baremetalsolution. volumesnapshots. list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ baremetalsolution.volumesadmin
)
Administrator of Bare Metal Solution volume resources
baremetalsolution. operations. get
baremetalsolution.pods.list
baremetalsolution.volumes.*
(roles/ baremetalsolution.volumeseditor
)
Editor of Bare Metal Solution volumes resources
baremetalsolution. operations. get
baremetalsolution.pods.list
baremetalsolution. volumequotas. list
baremetalsolution. volumes. create
baremetalsolution. volumes. delete
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution. volumes. rename
baremetalsolution. volumes. resize
baremetalsolution. volumes. update
(roles/ baremetalsolution.volumesnapshotsadmin
)
Administrator of Bare Metal Solution snapshots resources
baremetalsolution. operations. get
baremetalsolution. volumesnapshots.*
(roles/ baremetalsolution.volumesnapshotseditor
)
Editor of Bare Metal Solution snapshots resources
baremetalsolution. operations. get
baremetalsolution. volumesnapshots. create
baremetalsolution. volumesnapshots. delete
baremetalsolution. volumesnapshots. get
baremetalsolution. volumesnapshots. list
(roles/ baremetalsolution.volumesnapshotsviewer
)
Viewer of Bare Metal Solution snapshots resources
baremetalsolution. operations. get
baremetalsolution. volumesnapshots. get
baremetalsolution. volumesnapshots. list
(roles/ baremetalsolution.volumessviewer
)
Viewer of Bare Metal Solution volumes resources
baremetalsolution. operations. get
baremetalsolution.volumes.get
baremetalsolution.volumes.list
BeyondCorp roles
Permissions
Cloud BeyondCorp Admin
Beta
(roles/ beyondcorp.admin
)
Full access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.*
beyondcorp.appConnectors.*
beyondcorp.appGateways.*
beyondcorp. clientConnectorServices. create
beyondcorp. clientConnectorServices. delete
beyondcorp. clientConnectorServices. get
beyondcorp. clientConnectorServices. getIamPolicy
beyondcorp. clientConnectorServices. list
beyondcorp. clientConnectorServices. setIamPolicy
beyondcorp. clientConnectorServices. update
beyondcorp.clientGateways.*
beyondcorp.locations.*
beyondcorp.operations.*
beyondcorp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Admin
Beta
(roles/ beyondcorp.clientConnectorAdmin
)
Full access to all BeyondCorp Client Connector resources.
beyondcorp. clientConnectorServices. create
beyondcorp. clientConnectorServices. delete
beyondcorp. clientConnectorServices. get
beyondcorp. clientConnectorServices. getIamPolicy
beyondcorp. clientConnectorServices. list
beyondcorp. clientConnectorServices. setIamPolicy
beyondcorp. clientConnectorServices. update
beyondcorp.clientGateways.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Service User
Beta
(roles/ beyondcorp.clientConnectorServiceUser
)
Access Client Connector Service
beyondcorp. clientConnectorServices. access
Cloud BeyondCorp Client Connector Viewer
Beta
(roles/ beyondcorp.clientConnectorViewer
)
Read-only access to all BeyondCorp Client Connector resources.
beyondcorp. clientConnectorServices. get
beyondcorp. clientConnectorServices. getIamPolicy
beyondcorp. clientConnectorServices. list
beyondcorp.clientGateways.get
beyondcorp. clientGateways. getIamPolicy
beyondcorp.clientGateways.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Partner Service Delegate Admin
Beta
(roles/ beyondcorp.partnerServiceDelegateAdmin
)
Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.operations.*
beyondcorp.partnerTenants.*
beyondcorp.proxyConfigs.*
resourcemanager. organizations. get
Cloud BeyondCorp Partner Service Delegate Viewer
Beta
(roles/ beyondcorp.partnerServiceDelegateViewer
)
Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
resourcemanager. organizations. get
Cloud BeyondCorp Subscription Admin
Beta
(roles/ beyondcorp.subscriptionAdmin
)
Full access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.*
resourcemanager. organizations. get
Cloud BeyondCorp Subscription Viewer
Beta
(roles/ beyondcorp.subscriptionViewer
)
Read-only access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager. organizations. get
Cloud BeyondCorp Viewer
Beta
(roles/ beyondcorp.viewer
)
Read-only access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.get
beyondcorp. appConnections. getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnectors.get
beyondcorp. appConnectors. getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appGateways.get
beyondcorp. appGateways. getIamPolicy
beyondcorp.appGateways.list
beyondcorp. clientConnectorServices. get
beyondcorp. clientConnectorServices. getIamPolicy
beyondcorp. clientConnectorServices. list
beyondcorp.clientGateways.get
beyondcorp. clientGateways. getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.locations.*
beyondcorp.operations.get
beyondcorp.operations.list
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery roles
Permissions
BigQuery Admin
(roles/ bigquery.admin
)
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
Datasets
Row access policies
Tables
Views
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery. reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery. rowAccessPolicies. create
bigquery. rowAccessPolicies. delete
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. overrideTimeTravelRestrictions
bigquery. rowAccessPolicies. setIamPolicy
bigquery. rowAccessPolicies. update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration. translation. translate
dataform.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Connection Admin
(roles/ bigquery.connectionAdmin
)
bigquery.connections.*
BigQuery Connection User
(roles/ bigquery.connectionUser
)
bigquery.connections.get
bigquery. connections. getIamPolicy
bigquery.connections.list
bigquery.connections.use
BigQuery Data Editor
(roles/ bigquery.dataEditor
)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery. tables. restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Owner
(roles/ bigquery.dataOwner
)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery. rowAccessPolicies. create
bigquery. rowAccessPolicies. delete
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. setIamPolicy
bigquery. rowAccessPolicies. update
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Viewer
(roles/ bigquery.dataViewer
)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to list all of the resources in the
dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata
with applicable APIs and in queries.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Filtered Data Viewer
(roles/ bigquery.filteredDataViewer
)
Access to view filtered table data defined by a row access policy
bigquery. rowAccessPolicies. getFilteredData
BigQuery Job User
(roles/ bigquery.jobUser
)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.jobs.create
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ bigquery.metadataViewer
)
When applied to a table or view, this role provides permissions to:
Read metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
List tables and views in the dataset.
Read metadata from the dataset's tables and views.
When applied at the project or organization level, this role provides permissions to:
List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views
in the project.
Additional roles are necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Read Session User
(roles/ bigquery.readSessionUser
)
Provides the ability to create and use read sessions.
Lowest-level resources where you can grant this role:
bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Admin
(roles/ bigquery.resourceAdmin
)
Administers BigQuery workloads, including slot assignments, commitments, and reservations.
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery. jobs. listExecutionMetadata
bigquery. reservationAssignments.*
bigquery.reservations.*
recommender. bigqueryCapacityCommitmentsInsights.*
recommender. bigqueryCapacityCommitmentsRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Editor
(roles/ bigquery.resourceEditor
)
Manages BigQuery workloads, but is unable to create or modify slot commitments.
bigquery.bireservations.get
bigquery. capacityCommitments. get
bigquery. capacityCommitments. list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery. jobs. listExecutionMetadata
bigquery. reservationAssignments.*
bigquery.reservations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Viewer
(roles/ bigquery.resourceViewer
)
Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.
bigquery.bireservations.get
bigquery. capacityCommitments. get
bigquery. capacityCommitments. list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery. jobs. listExecutionMetadata
bigquery. reservationAssignments. list
bigquery. reservationAssignments. search
bigquery.reservations.get
bigquery.reservations.list
bigquery. reservations. listFailoverDatasets
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Studio Admin
(roles/ bigquery.studioAdmin
)
Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and Dataproc Serverless Editor.
aiplatform. notebookRuntimeTemplates.*
aiplatform.notebookRuntimes.*
aiplatform.operations.list
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery. reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery. rowAccessPolicies. create
bigquery. rowAccessPolicies. delete
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. overrideTimeTravelRestrictions
bigquery. rowAccessPolicies. setIamPolicy
bigquery. rowAccessPolicies. update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration. translation. translate
compute.projects.get
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.zones.*
dataform.*
dataplex.projects.search
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Studio User
(roles/ bigquery.studioUser
)
Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, Notebook Runtime User and Dataproc Serverless Editor.
aiplatform. notebookRuntimeTemplates. apply
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. getIamPolicy
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimes. assign
aiplatform. notebookRuntimes. get
aiplatform. notebookRuntimes. list
aiplatform.operations.list
bigquery.config.get
bigquery.jobs.create
bigquery.readsessions.*
compute.projects.get
compute.regions.*
compute.zones.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery User
(roles/ bigquery.user
)
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner
)
on these new datasets.
Lowest-level resources where you can grant this role:
bigquery.bireservations.get
bigquery. capacityCommitments. get
bigquery. capacityCommitments. list
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery. reservationAssignments. list
bigquery. reservationAssignments. search
bigquery.reservations.get
bigquery.reservations.list
bigquery. reservations. listFailoverDatasets
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration. translation. translate
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Policy Admin
(roles/ bigquerydatapolicy.admin
)
Role for managing Data Policies in BigQuery
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
Masked Reader
(roles/ bigquerydatapolicy.maskedReader
)
Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns
bigquery. dataPolicies. maskedGet
Raw Data Reader
Beta
(roles/ bigquerydatapolicy.rawDataReader
)
Raw read access to sub-resources associated with a data policy, for example, BigQuery columns
bigquery. dataPolicies. getRawData
BigQuery Data Policy Viewer
(roles/ bigquerydatapolicy.viewer
)
Role for viewing Data Policies in BigQuery
bigquery.dataPolicies.get
bigquery.dataPolicies.list
Billing roles
Permissions
Billing Account Administrator
(roles/ billing.admin
)
Provides access to see and manage all aspects of billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.close
billing.accounts.get
billing. accounts. getCarbonInformation
billing.accounts.getIamPolicy
billing. accounts. getPaymentInfo
billing.accounts.getPricing
billing. accounts. getSpendingInformation
billing. accounts. getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing. accounts. redeemPromotion
billing. accounts. removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing. accounts. updatePaymentInfo
billing. accounts. updateUsageExportSpec
billing.anomalies.*
billing.anomaliesConfigs.*
billing. billingAccountPrice. get
billing. billingAccountPrices. list
billing. billingAccountServices.*
billing. billingAccountSkuGroupSkus.*
billing. billingAccountSkuGroups.*
billing.billingAccountSkus.*
billing.budgets.*
billing.credits.list
billing. finOpsBenchmarkInformation. get
billing. finOpsHealthInformation. get
billing.resourceAssociations.*
billing.subscriptions.*
cloudasset. assets. searchAllResources
cloudnotifications. activities. list
cloudsupport.properties.get
cloudsupport.techCases.*
commerceoffercatalog.*
compute.commitments.*
consumerprocurement.accounts.*
consumerprocurement. consents. check
consumerprocurement. consents. grant
consumerprocurement. consents. list
consumerprocurement. consents. revoke
consumerprocurement.events.*
consumerprocurement. licensePools.*
consumerprocurement. orderAttributions.*
consumerprocurement.orders.*
dataprocessing.datasources.get
dataprocessing. datasources. list
dataprocessing. groupcontrols. get
dataprocessing. groupcontrols. list
logging.logEntries.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.privateLogEntries.list
recommender. cloudsqlIdleInstanceRecommendations. get
recommender. cloudsqlIdleInstanceRecommendations. list
recommender. cloudsqlOverprovisionedInstanceRecommendations. get
recommender. cloudsqlOverprovisionedInstanceRecommendations. list
recommender. commitmentUtilizationInsights.*
recommender. computeAddressIdleResourceRecommendations. get
recommender. computeAddressIdleResourceRecommendations. list
recommender. computeDiskIdleResourceRecommendations. get
recommender. computeDiskIdleResourceRecommendations. list
recommender. computeImageIdleResourceRecommendations. get
recommender. computeImageIdleResourceRecommendations. list
recommender. computeInstanceGroupManagerMachineTypeRecommendations. get
recommender. computeInstanceGroupManagerMachineTypeRecommendations. list
recommender. computeInstanceIdleResourceRecommendations. get
recommender. computeInstanceIdleResourceRecommendations. list
recommender. computeInstanceMachineTypeRecommendations. get
recommender. computeInstanceMachineTypeRecommendations. list
recommender.costInsights.*
recommender. costRecommendations.*
recommender. resourcemanagerProjectUtilizationRecommendations. get
recommender. resourcemanagerProjectUtilizationRecommendations. list
recommender. spendBasedCommitmentInsights.*
recommender. spendBasedCommitmentRecommendations.*
recommender. spendBasedCommitmentRecommenderConfig.*
recommender. usageCommitmentRecommendations.*
resourcemanager. projects. createBillingAssignment
resourcemanager. projects. deleteBillingAssignment
resourcemanager.projects.get
resourcemanager.projects.list
Billing Account Costs Manager
(roles/ billing.costsManager
)
Manage budgets for a billing account, and view, analyze, and export cost information of a billing
account.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing. accounts. getSpendingInformation
billing. accounts. getUsageExportSpec
billing.accounts.list
billing. accounts. updateUsageExportSpec
billing.anomalies.get
billing.anomalies.list
billing.anomaliesConfigs.*
billing.budgets.*
billing. resourceAssociations. list
recommender.costInsights.*
Billing Account Creator
(roles/ billing.creator
)
Provides access to create billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.create
resourcemanager. organizations. get
Project Billing Manager
(roles/ billing.projectManager
)
When granted in conjunction with the Billing Account User role, provides access to assign a
project's billing account or disable its billing.
Lowest-level resources where you can grant this role:
resourcemanager. projects. createBillingAssignment
resourcemanager. projects. deleteBillingAssignment
Billing Account User
(roles/ billing.user
)
When granted in conjunction with the Project Owner role or Project Billing Manager role, provides
access to associate projects with billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing. accounts. redeemPromotion
billing.credits.list
billing. resourceAssociations. create
Billing Account Viewer
(roles/ billing.viewer
)
View billing account cost and pricing information, transactions, and billing and commitment
recommendations.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing. accounts. getCarbonInformation
billing.accounts.getIamPolicy
billing. accounts. getPaymentInfo
billing.accounts.getPricing
billing. accounts. getSpendingInformation
billing. accounts. getUsageExportSpec
billing.accounts.list
billing.anomalies.get
billing.anomalies.list
billing.anomaliesConfigs.get
billing. billingAccountPrice. get
billing. billingAccountPrices. list
billing. billingAccountServices.*
billing. billingAccountSkuGroupSkus.*
billing. billingAccountSkuGroups.*
billing.billingAccountSkus.*
billing.budgets.get
billing.budgets.list
billing.credits.list
billing. finOpsBenchmarkInformation. get
billing. finOpsHealthInformation. get
billing. resourceAssociations. list
billing.subscriptions.get
billing.subscriptions.list
commerceoffercatalog.*
consumerprocurement. accounts. get
consumerprocurement. accounts. list
consumerprocurement. consents. check
consumerprocurement. consents. list
consumerprocurement. orderAttributions. get
consumerprocurement. orderAttributions. list
consumerprocurement.orders.get
consumerprocurement. orders. list
dataprocessing.datasources.get
dataprocessing. datasources. list
dataprocessing. groupcontrols. get
dataprocessing. groupcontrols. list
recommender. commitmentUtilizationInsights. get
recommender. commitmentUtilizationInsights. list
recommender.costInsights.get
recommender.costInsights.list
recommender. costRecommendations.*
recommender. spendBasedCommitmentInsights. get
recommender. spendBasedCommitmentInsights. list
recommender. spendBasedCommitmentRecommendations. get
recommender. spendBasedCommitmentRecommendations. list
recommender. spendBasedCommitmentRecommenderConfig. get
recommender. usageCommitmentRecommendations. get
recommender. usageCommitmentRecommendations. list
Binary Authorization roles
Permissions
Binary Authorization Attestor Admin
(roles/ binaryauthorization.attestorsAdmin
)
Administrator of Binary Authorization Attestors
binaryauthorization. attestors.*
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Editor
(roles/ binaryauthorization.attestorsEditor
)
Editor of Binary Authorization Attestors
binaryauthorization. attestors. create
binaryauthorization. attestors. delete
binaryauthorization. attestors. get
binaryauthorization. attestors. list
binaryauthorization. attestors. update
binaryauthorization. attestors. verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Image Verifier
(roles/ binaryauthorization.attestorsVerifier
)
Caller of Binary Authorization Attestors VerifyImageAttested
binaryauthorization. attestors. get
binaryauthorization. attestors. list
binaryauthorization. attestors. verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Viewer
(roles/ binaryauthorization.attestorsViewer
)
Viewer of Binary Authorization Attestors
binaryauthorization. attestors. get
binaryauthorization. attestors. list
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Administrator
(roles/ binaryauthorization.policyAdmin
)
Administrator of Binary Authorization Policy
binaryauthorization. continuousValidationConfig.*
binaryauthorization. platformPolicies.*
binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Editor
(roles/ binaryauthorization.policyEditor
)
Editor of Binary Authorization Policy
binaryauthorization. continuousValidationConfig. get
binaryauthorization. continuousValidationConfig. update
binaryauthorization. platformPolicies.*
binaryauthorization. policy. evaluatePolicy
binaryauthorization.policy.get
binaryauthorization. policy. update
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Evaluator
(roles/ binaryauthorization.policyEvaluator
)
Evaluator of Binary Authorization Policy
binaryauthorization. platformPolicies. evaluatePolicy
binaryauthorization. platformPolicies. get
binaryauthorization. platformPolicies. list
binaryauthorization. policy. evaluatePolicy
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Viewer
(roles/ binaryauthorization.policyViewer
)
Viewer of Binary Authorization Policy
binaryauthorization. continuousValidationConfig. get
binaryauthorization. platformPolicies. get
binaryauthorization. platformPolicies. list
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
CA Service roles
Permissions
CA Service Admin
(roles/ privateca.admin
)
Full access to all CA Service resources.
privateca.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Auditor
(roles/ privateca.auditor
)
Read-only access to all CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca. certificateAuthorities. get
privateca. certificateAuthorities. getIamPolicy
privateca. certificateAuthorities. list
privateca. certificateRevocationLists. get
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca. certificateTemplates. get
privateca. certificateTemplates. getIamPolicy
privateca. certificateTemplates. list
privateca.certificates.get
privateca. certificates. getIamPolicy
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca. reusableConfigs. getIamPolicy
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Operation Manager
(roles/ privateca.caManager
)
Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.
privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.update
privateca. certificateAuthorities. create
privateca. certificateAuthorities. delete
privateca. certificateAuthorities. get
privateca. certificateAuthorities. getIamPolicy
privateca. certificateAuthorities. list
privateca. certificateAuthorities. update
privateca. certificateRevocationLists. get
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca. certificateRevocationLists. update
privateca. certificateTemplates. create
privateca. certificateTemplates. delete
privateca. certificateTemplates. get
privateca. certificateTemplates. getIamPolicy
privateca. certificateTemplates. list
privateca. certificateTemplates. update
privateca.certificates.get
privateca. certificates. getIamPolicy
privateca.certificates.list
privateca.certificates.update
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca. reusableConfigs. create
privateca. reusableConfigs. delete
privateca.reusableConfigs.get
privateca. reusableConfigs. getIamPolicy
privateca.reusableConfigs.list
privateca. reusableConfigs. update
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Certificate Manager
(roles/ privateca.certificateManager
)
Create certificates and read-only access for CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca. certificateAuthorities. get
privateca. certificateAuthorities. getIamPolicy
privateca. certificateAuthorities. list
privateca. certificateRevocationLists. get
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca. certificateTemplates. get
privateca. certificateTemplates. getIamPolicy
privateca. certificateTemplates. list
privateca.certificates.create
privateca.certificates.get
privateca. certificates. getIamPolicy
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca. reusableConfigs. getIamPolicy
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Certificate Requester
(roles/ privateca.certificateRequester
)
Request certificates from CA Service.
privateca.certificates.create
CA Service Pool Reader
(roles/ privateca.poolReader
)
Read CA Pools in CA Service.
privateca.caPools.get
CA Service Certificate Template User
(roles/ privateca.templateUser
)
Read, list and use certificate templates.
privateca. certificateTemplates. get
privateca. certificateTemplates. list
privateca. certificateTemplates. use
CA Service Workload Certificate Requester
(roles/ privateca.workloadCertificateRequester
)
Request certificates from CA Service with caller's identity.
privateca. certificates. createForSelf
Certificate Manager roles
Permissions
Certificate Manager Editor
(roles/ certificatemanager.editor
)
Edit access to Certificate Manager all resources.
certificatemanager. certissuanceconfigs. create
certificatemanager. certissuanceconfigs. get
certificatemanager. certissuanceconfigs. list
certificatemanager. certissuanceconfigs. update
certificatemanager. certissuanceconfigs. use
certificatemanager. certmapentries. create
certificatemanager. certmapentries. get
certificatemanager. certmapentries. list
certificatemanager. certmapentries. update
certificatemanager. certmaps. create
certificatemanager. certmaps. get
certificatemanager. certmaps. list
certificatemanager. certmaps. update
certificatemanager. certmaps. use
certificatemanager. certs. create
certificatemanager.certs.get
certificatemanager.certs.list
certificatemanager. certs. update
certificatemanager.certs.use
certificatemanager. dnsauthorizations. create
certificatemanager. dnsauthorizations. get
certificatemanager. dnsauthorizations. list
certificatemanager. dnsauthorizations. update
certificatemanager. dnsauthorizations. use
certificatemanager.locations.*
certificatemanager. operations. get
certificatemanager. operations. list
certificatemanager. trustconfigs. create
certificatemanager. trustconfigs. get
certificatemanager. trustconfigs. list
certificatemanager. trustconfigs. update
certificatemanager. trustconfigs. use
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Owner
(roles/ certificatemanager.owner
)
Full access to Certificate Manager all resources.
certificatemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Viewer
(roles/ certificatemanager.viewer
)
Read-only access to Certificate Manager all resources.
certificatemanager. certissuanceconfigs. get
certificatemanager. certissuanceconfigs. list
certificatemanager. certmapentries. get
certificatemanager. certmapentries. list
certificatemanager. certmaps. get
certificatemanager. certmaps. list
certificatemanager.certs.get
certificatemanager.certs.list
certificatemanager. dnsauthorizations. get
certificatemanager. dnsauthorizations. list
certificatemanager.locations.*
certificatemanager. operations. get
certificatemanager. operations. list
certificatemanager. trustconfigs. get
certificatemanager. trustconfigs. list
resourcemanager.projects.get
resourcemanager.projects.list
Chat roles
Permissions
Chat Apps Owner
(roles/ chat.owner
)
Can view and modify app configurations
chat.*
Chat Apps Viewer
(roles/ chat.reader
)
Can view app configurations
chat.bots.get
Chronicle API roles
Permissions
Chronicle API Admin
(roles/ chronicle.admin
)
Full access to the Chronicle API services, including global settings.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle. bigQueryAccess. provide
chronicle. cases. countPriorities
chronicle.collectors.*
chronicle.conversations.*
chronicle. curatedRuleSetCategories.*
chronicle. curatedRuleSetDeployments.*
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.*
chronicle.dataAccessLabels.*
chronicle.dataAccessScopes.*
chronicle.dataExports.*
chronicle. dataTableOperationErrors. get
chronicle.dataTableRows.*
chronicle.dataTables.*
chronicle.dataTaps.*
chronicle.enrichmentControls.*
chronicle.entities.*
chronicle. entityRiskScores. queryEntityRiskScores
chronicle. errorNotificationConfigs.*
chronicle.events.*
chronicle. extensionValidationReports.*
chronicle. feedServiceAccounts. fetch
chronicle. feedSourceTypeSchemas. list
chronicle.feeds.*
chronicle.findingsGraphs.*
chronicle. findingsRefinementDeployments.*
chronicle. findingsRefinements.*
chronicle.forwarders.*
chronicle. globalDataAccessScopes. permit
chronicle.ingestionLogLabels.*
chronicle. ingestionLogNamespaces.*
chronicle. instances. generateCollectionAgentAuth
chronicle. instances. generateSoarAuthJwt
chronicle. instances. generateWorkspaceConnectionToken
chronicle.instances.get
chronicle. instances. logTypeClassifier
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.*
chronicle.iocs.*
chronicle.legacies.*
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.*
chronicle.messages.*
chronicle. multitenantDirectories. get
chronicle.nativeDashboards.*
chronicle.operations.*
chronicle.parserExtensions.*
chronicle.parsers.*
chronicle.parsingErrors.list
chronicle.preferenceSets.*
chronicle.referenceLists.*
chronicle.retrohunts.*
chronicle.riskConfigs.*
chronicle.ruleDeployments.*
chronicle. ruleExecutionErrors. list
chronicle.rules.*
chronicle.searchQueries.*
chronicle. validationErrors. list
chronicle. validationReports. get
chronicle.watchlists.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Editor
(roles/ chronicle.editor
)
Modify Access to Chronicle API resources.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle. cases. countPriorities
chronicle.collectors.get
chronicle.collectors.list
chronicle.conversations.*
chronicle. curatedRuleSetCategories.*
chronicle. curatedRuleSetDeployments.*
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.*
chronicle. dataAccessScopes. list
chronicle.dataExports.*
chronicle. dataTableOperationErrors. get
chronicle.dataTableRows.*
chronicle.dataTables.*
chronicle.dataTaps.*
chronicle. enrichmentControls. get
chronicle. enrichmentControls. list
chronicle.entities.*
chronicle. entityRiskScores. queryEntityRiskScores
chronicle. errorNotificationConfigs. get
chronicle. errorNotificationConfigs. list
chronicle.events.*
chronicle.findingsGraphs.*
chronicle. findingsRefinementDeployments.*
chronicle. findingsRefinements.*
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle. globalDataAccessScopes. permit
chronicle.ingestionLogLabels.*
chronicle. ingestionLogNamespaces.*
chronicle. instances. generateCollectionAgentAuth
chronicle. instances. generateSoarAuthJwt
chronicle.instances.get
chronicle. instances. logTypeClassifier
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.*
chronicle.iocs.*
chronicle.legacies.*
chronicle.logTypeSchemas.list
chronicle.logs.*
chronicle.messages.*
chronicle. multitenantDirectories. get
chronicle.nativeDashboards.*
chronicle.operations.*
chronicle.preferenceSets.*
chronicle.referenceLists.*
chronicle.retrohunts.*
chronicle.riskConfigs.*
chronicle.ruleDeployments.*
chronicle. ruleExecutionErrors. list
chronicle.rules.create
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.update
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
chronicle.watchlists.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Global Data Access
Beta
(roles/ chronicle.globalDataAccess
)
Grants global access to data i.e. all data can be accessed.
chronicle. globalDataAccessScopes. permit
Chronicle API Limited Viewer
(roles/ chronicle.limitedViewer
)
Grants read-only access to Chronicle API resources, excluding Rules and Retrohunts.
chronicle.analyticValues.list
chronicle.analytics.list
chronicle. cases. countPriorities
chronicle.conversations.get
chronicle.conversations.list
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule
chronicle. dataAccessScopes. list
chronicle.entities.find
chronicle. entities. findRelatedEntities
chronicle.entities.get
chronicle. entities. queryEntityRiskScoreModifications
chronicle. entities. searchEntities
chronicle.entities.summarize
chronicle. entities. summarizeFromQuery
chronicle. entityRiskScores. queryEntityRiskScores
chronicle. errorNotificationConfigs. get
chronicle. errorNotificationConfigs. list
chronicle.events.batchGet
chronicle. events. findUdmFieldValues
chronicle.events.get
chronicle. events. queryProductSourceStats
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle. findingsRefinementDeployments. get
chronicle. findingsRefinementDeployments. list
chronicle. findingsRefinements. computeActivity
chronicle. findingsRefinements. computeAllActivities
chronicle. findingsRefinements. get
chronicle. findingsRefinements. list
chronicle. findingsRefinements. test
chronicle. globalDataAccessScopes. permit
chronicle.ingestionLogLabels.*
chronicle. ingestionLogNamespaces.*
chronicle.instances.get
chronicle. legacies. legacyBatchGetCases
chronicle. legacies. legacyCalculateAlertStats
chronicle. legacies. legacyFetchAlertsView
chronicle. legacies. legacyFetchUdmSearchCsv
chronicle. legacies. legacyFetchUdmSearchView
chronicle. legacies. legacyFindAssetEvents
chronicle. legacies. legacyFindRawLogs
chronicle. legacies. legacyFindUdmEvents
chronicle. legacies. legacyGetAlert
chronicle. legacies. legacyGetFinding
chronicle. legacies. legacySearchArtifactEvents
chronicle. legacies. legacySearchArtifactIoCDetails
chronicle. legacies. legacySearchAssetEvents
chronicle. legacies. legacySearchCustomerStats
chronicle. legacies. legacySearchDomainsRecentlyRegistered
chronicle. legacies. legacySearchDomainsTimingStats
chronicle. legacies. legacySearchEnterpriseWideAlerts
chronicle. legacies. legacySearchEnterpriseWideIoCs
chronicle. legacies. legacySearchFindings
chronicle. legacies. legacySearchIngestionStats
chronicle. legacies. legacySearchIoCInsights
chronicle. legacies. legacySearchRawLogs
chronicle. legacies. legacySearchUserEvents
chronicle.logTypeSchemas.list
chronicle.logs.export
chronicle.logs.get
chronicle.logs.list
chronicle.messages.get
chronicle.messages.list
chronicle. multitenantDirectories. get
chronicle.nativeDashboards.get
chronicle. nativeDashboards. list
chronicle.operations.get
chronicle.operations.list
chronicle. operations. streamSearch
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.searchQueries.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Restricted Data Access
Beta
(roles/ chronicle.restrictedDataAccess
)
Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions.
chronicle. dataAccessScopes. permit
Chronicle API Restricted Data Access Viewer
Beta
(roles/ chronicle.restrictedDataAccessViewer
)
Grants readonly access to Chronicle API resources without global data access scope.
chronicle.ais.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle. dataAccessScopes. list
chronicle.entities.find
chronicle. entities. findRelatedEntities
chronicle.entities.get
chronicle.entities.list
chronicle. entities. searchEntities
chronicle.entities.summarize
chronicle. entities. summarizeFromQuery
chronicle.events.batchGet
chronicle. events. findUdmFieldValues
chronicle.events.get
chronicle. events. queryProductSourceStats
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle. instances. generateCollectionAgentAuth
chronicle. instances. generateSoarAuthJwt
chronicle.instances.get
chronicle.instances.report
chronicle. legacies. legacyBatchGetCases
chronicle. legacies. legacyCalculateAlertStats
chronicle. legacies. legacyFetchAlertsView
chronicle. legacies. legacyFetchUdmSearchCsv
chronicle. legacies. legacyFetchUdmSearchView
chronicle. legacies. legacyFindAssetEvents
chronicle. legacies. legacyFindRawLogs
chronicle. legacies. legacyFindUdmEvents
chronicle. legacies. legacyGetAlert
chronicle. legacies. legacyGetFinding
chronicle. legacies. legacyGetRuleCounts
chronicle. legacies. legacyGetRulesTrends
chronicle. legacies. legacyRunTestRule
chronicle. legacies. legacySearchArtifactEvents
chronicle. legacies. legacySearchArtifactIoCDetails
chronicle. legacies. legacySearchAssetEvents
chronicle. legacies. legacySearchCustomerStats
chronicle. legacies. legacySearchDomainsRecentlyRegistered
chronicle. legacies. legacySearchDomainsTimingStats
chronicle. legacies. legacySearchFindings
chronicle. legacies. legacySearchIngestionStats
chronicle. legacies. legacySearchIoCInsights
chronicle. legacies. legacySearchRawLogs
chronicle. legacies. legacySearchRuleDetectionCountBuckets
chronicle. legacies. legacySearchRuleDetectionEvents
chronicle. legacies. legacySearchRuleResults
chronicle. legacies. legacySearchRulesAlerts
chronicle. legacies. legacySearchUserEvents
chronicle.logs.get
chronicle.logs.list
chronicle. multitenantDirectories. get
chronicle.nativeDashboards.get
chronicle. nativeDashboards. list
chronicle.operations.get
chronicle.operations.list
chronicle. operations. streamSearch
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle. referenceLists. verifyReferenceList
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle. ruleExecutionErrors. list
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle SOAR Admin
Beta
(roles/ chronicle.soarAdmin
)
Grants admin access to Chronicle SOAR.
chronicle.instances.soarAdmin
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset. assets. searchEnrichmentResourceOwners
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. attackpaths. list
securitycenter. exposurepathexplan. get
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter.simulations.get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
Chronicle SOAR Threat Manager
Beta
(roles/ chronicle.soarThreatManager
)
Grants threat manager access to Chronicle SOAR.
chronicle. instances. soarThreatManager
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset. assets. searchEnrichmentResourceOwners
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. attackpaths. list
securitycenter. exposurepathexplan. get
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter.simulations.get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
Chronicle SOAR Vulnerability Manager
Beta
(roles/ chronicle.soarVulnerabilityManager
)
Grants vulnerability manager access to Chronicle SOAR.
chronicle. instances. soarVulnerabilityManager
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset. assets. searchEnrichmentResourceOwners
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. attackpaths. list
securitycenter. exposurepathexplan. get
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter.simulations.get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
Chronicle API Viewer
(roles/ chronicle.viewer
)
Read-only access to the Chronicle API resources.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle. cases. countPriorities
chronicle.collectors.get
chronicle.collectors.list
chronicle.conversations.get
chronicle.conversations.list
chronicle. curatedRuleSetCategories.*
chronicle. curatedRuleSetDeployments. get
chronicle. curatedRuleSetDeployments. list
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule
chronicle. dataAccessScopes. list
chronicle. dataExports. fetchLogTypesAvailableForExport
chronicle.dataExports.get
chronicle. dataTableOperationErrors. get
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTaps.get
chronicle.dataTaps.list
chronicle. enrichmentControls. get
chronicle. enrichmentControls. list
chronicle.entities.find
chronicle. entities. findRelatedEntities
chronicle.entities.get
chronicle.entities.list
chronicle. entities. queryEntityRiskScoreModifications
chronicle. entities. searchEntities
chronicle.entities.summarize
chronicle. entities. summarizeFromQuery
chronicle. entityRiskScores. queryEntityRiskScores
chronicle. errorNotificationConfigs. get
chronicle. errorNotificationConfigs. list
chronicle.events.batchGet
chronicle. events. findUdmFieldValues
chronicle.events.get
chronicle. events. queryProductSourceStats
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle. findingsRefinementDeployments. get
chronicle. findingsRefinementDeployments. list
chronicle. findingsRefinements. computeActivity
chronicle. findingsRefinements. computeAllActivities
chronicle. findingsRefinements. get
chronicle. findingsRefinements. list
chronicle. findingsRefinements. test
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle. globalDataAccessScopes. permit
chronicle.ingestionLogLabels.*
chronicle. ingestionLogNamespaces.*
chronicle. instances. generateCollectionAgentAuth
chronicle. instances. generateSoarAuthJwt
chronicle.instances.get
chronicle. instances. logTypeClassifier
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.get
chronicle.iocs.*
chronicle. legacies. legacyBatchGetCases
chronicle. legacies. legacyCalculateAlertStats
chronicle. legacies. legacyFetchAlertsView
chronicle. legacies. legacyFetchUdmSearchCsv
chronicle. legacies. legacyFetchUdmSearchView
chronicle. legacies. legacyFindAssetEvents
chronicle. legacies. legacyFindRawLogs
chronicle. legacies. legacyFindUdmEvents
chronicle. legacies. legacyGetAlert
chronicle. legacies. legacyGetCuratedRulesTrends
chronicle. legacies. legacyGetDetection
chronicle. legacies. legacyGetEventForDetection
chronicle. legacies. legacyGetFinding
chronicle. legacies. legacyGetRuleCounts
chronicle. legacies. legacyGetRulesTrends
chronicle. legacies. legacyRunTestRule
chronicle. legacies. legacySearchArtifactEvents
chronicle. legacies. legacySearchArtifactIoCDetails
chronicle. legacies. legacySearchAssetEvents
chronicle. legacies. legacySearchCuratedDetections
chronicle. legacies. legacySearchCustomerStats
chronicle. legacies. legacySearchDetections
chronicle. legacies. legacySearchDomainsRecentlyRegistered
chronicle. legacies. legacySearchDomainsTimingStats
chronicle. legacies. legacySearchEnterpriseWideAlerts
chronicle. legacies. legacySearchEnterpriseWideIoCs
chronicle. legacies. legacySearchFindings
chronicle. legacies. legacySearchIngestionStats
chronicle. legacies. legacySearchIoCInsights
chronicle. legacies. legacySearchRawLogs
chronicle. legacies. legacySearchRuleDetectionCountBuckets
chronicle. legacies. legacySearchRuleDetectionEvents
chronicle. legacies. legacySearchRuleResults
chronicle. legacies. legacySearchRulesAlerts
chronicle. legacies. legacySearchUserEvents
chronicle. legacies. legacyStreamDetectionAlerts
chronicle. legacies. legacyTestRuleStreaming
chronicle.logTypeSchemas.list
chronicle.logs.export
chronicle.logs.get
chronicle.logs.list
chronicle.messages.get
chronicle.messages.list
chronicle. multitenantDirectories. get
chronicle.nativeDashboards.get
chronicle. nativeDashboards. list
chronicle.operations.get
chronicle.operations.list
chronicle. operations. streamSearch
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle. referenceLists. verifyReferenceList
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.riskConfigs.get
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle. ruleExecutionErrors. list
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
chronicle.watchlists.get
chronicle.watchlists.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB roles
Permissions
Cloud AlloyDB Admin
Beta
(roles/ alloydb.admin
)
Full access to Cloud AlloyDB all resources.
alloydb.*
cloudaicompanion. entitlements. get
recommender. alloydbClusterPerformanceInsights.*
recommender. alloydbClusterPerformanceRecommendations.*
recommender. alloydbClusterReliabilityInsights.*
recommender. alloydbClusterReliabilityRecommendations.*
recommender. alloydbInstanceSecurityInsights.*
recommender. alloydbInstanceSecurityRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Client
Beta
(roles/ alloydb.client
)
Connectivity access to Cloud AlloyDB instances.
alloydb. clusters. generateClientCertificate
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Database User
Beta
(roles/ alloydb.databaseUser
)
Role allowing access to login as a database user.
alloydb.clusters.get
alloydb.instances.executeSql
alloydb.instances.get
alloydb.users.login
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Viewer
Beta
(roles/ alloydb.viewer
)
Read-only access to Cloud AlloyDB all resources.
alloydb.backups.get
alloydb.backups.list
alloydb. backups. listEffectiveTags
alloydb. backups. listTagBindings
alloydb.clusters.export
alloydb.clusters.get
alloydb.clusters.list
alloydb. clusters. listEffectiveTags
alloydb. clusters. listTagBindings
alloydb.databases.list
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb. supportedDatabaseFlags.*
alloydb.users.get
alloydb.users.list
cloudaicompanion. entitlements. get
recommender. alloydbClusterPerformanceInsights. get
recommender. alloydbClusterPerformanceInsights. list
recommender. alloydbClusterPerformanceRecommendations. get
recommender. alloydbClusterPerformanceRecommendations. list
recommender. alloydbClusterReliabilityInsights. get
recommender. alloydbClusterReliabilityInsights. list
recommender. alloydbClusterReliabilityRecommendations. get
recommender. alloydbClusterReliabilityRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset roles
Permissions
Cloud Asset Owner
(roles/ cloudasset.owner
)
Full access to cloud assets metadata
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset.feeds.*
cloudasset.savedqueries.*
recommender. cloudAssetInsights.*
recommender.locations.*
Cloud Asset Viewer
(roles/ cloudasset.viewer
)
Read only access to cloud assets metadata
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
Cloud Bigtable roles
Permissions
Bigtable Administrator
(roles/ bigtable.admin
)
Administers all Bigtable instances within a project, including the data stored within
tables. Can create new instances. Intended for project administrators.
Lowest-level resources where you can grant this role:
bigtable.*
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Reader
(roles/ bigtable.reader
)
Provides read-only access to the data stored within Bigtable tables. Intended for
data scientists, dashboard generators, and other data-analysis scenarios.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable. authorizedViews. readRows
bigtable. authorizedViews. sampleRowKeys
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable. instances. executeQuery
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable. tables. checkConsistency
bigtable. tables. generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable User
(roles/ bigtable.user
)
Provides read-write access to the data stored within Bigtable tables. Intended for
application developers or service accounts.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable. authorizedViews. mutateRows
bigtable. authorizedViews. readRows
bigtable. authorizedViews. sampleRowKeys
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable. instances. executeQuery
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable. tables. checkConsistency
bigtable. tables. generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Viewer
(roles/ bigtable.viewer
)
Provides no data access. Intended as a minimal set of permissions to access
the Google Cloud console for Bigtable.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.instances.get
bigtable.instances.list
bigtable. instances. listEffectiveTags
bigtable. instances. listTagBindings
bigtable.locations.list
bigtable. tables. checkConsistency
bigtable. tables. generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring.timeSeries.list
resourcemanager.projects.get
Cloud Build roles
Permissions
Cloud Build Approver
(roles/ cloudbuild.builds.approver
)
Can approve or reject pending builds.
cloudbuild.builds.approve
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Service Account
(roles/ cloudbuild.builds.builder
)
Provides access to perform builds.
artifactregistry. aptartifacts. create
artifactregistry. attachments. create
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. packages. update
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. createOnPush
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry. yumartifacts. create
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudbuild.workerpools.use
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
logging.logEntries.create
logging.logEntries.list
logging.views.access
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Build Editor
(roles/ cloudbuild.builds.editor
)
Provides access to create and cancel builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Viewer
(roles/ cloudbuild.builds.viewer
)
Provides access to view builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Connection Admin
(roles/ cloudbuild.connectionAdmin
)
Can manage connections and repositories.
cloudbuild.connections.*
cloudbuild.operations.*
cloudbuild.repositories.create
cloudbuild.repositories.delete
cloudbuild. repositories. fetchGitRefs
cloudbuild.repositories.get
cloudbuild.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Connection Viewer
(roles/ cloudbuild.connectionViewer
)
Can view and list connections and repositories.
cloudbuild. connections. fetchLinkableRepositories
cloudbuild.connections.get
cloudbuild. connections. getIamPolicy
cloudbuild.connections.list
cloudbuild. repositories. fetchGitRefs
cloudbuild.repositories.get
cloudbuild.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Editor
(roles/ cloudbuild.integrationsEditor
)
Can update Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Owner
(roles/ cloudbuild.integrationsOwner
)
Can create/delete Integrations
cloudbuild.integrations.*
compute.firewalls.create
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.networks.updatePolicy
compute.regions.get
compute.subnetworks.get
compute.subnetworks.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Viewer
(roles/ cloudbuild.integrationsViewer
)
Can view Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Read Only Token Accessor
(roles/ cloudbuild.readTokenAccessor
)
Can view the connection and access its read-only token.
cloudbuild.connections.get
cloudbuild. repositories. accessReadToken
cloudbuild.repositories.get
Cloud Build Token Accessor
(roles/ cloudbuild.tokenAccessor
)
Can view the connection and access its read/write and read-only tokens.
cloudbuild.connections.get
cloudbuild. repositories. accessReadToken
cloudbuild. repositories. accessReadWriteToken
cloudbuild.repositories.get
cloudbuild.repositories.list
Cloud Build WorkerPool Editor
(roles/ cloudbuild.workerPoolEditor
)
Can update and view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool Owner
(roles/ cloudbuild.workerPoolOwner
)
Can create, delete, update, and view WorkerPools
cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool User
(roles/ cloudbuild.workerPoolUser
)
Can run builds in the WorkerPool
cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer
(roles/ cloudbuild.workerPoolViewer
)
Can view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Composer roles
Permissions
Cloud Composer v2 API Service Agent Extension
(roles/ composer.ServiceAgentV2Ext
)
Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.
iam. serviceAccounts. getIamPolicy
iam. serviceAccounts. setIamPolicy
Composer Administrator
(roles/ composer.admin
)
Provides full control of Cloud Composer resources.
Lowest-level resources where you can grant this role:
composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Environment and Storage Object Administrator
(roles/ composer.environmentAndStorageObjectAdmin
)
Provides full control of Cloud Composer resources and of the objects in all project buckets.
Lowest-level resources where you can grant this role:
composer.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Environment and Storage Object User
(roles/ composer.environmentAndStorageObjectUser
)
Read and use access to Cloud Composer resources and read access to Cloud Storage objects.
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer. userworkloadsconfigmaps. get
composer. userworkloadsconfigmaps. list
composer. userworkloadssecrets. get
composer. userworkloadssecrets. list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Environment and Storage Object Viewer
(roles/ composer.environmentAndStorageObjectViewer
)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Provides read-only access to objects in all project buckets.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer. userworkloadsconfigmaps. get
composer. userworkloadsconfigmaps. list
composer. userworkloadssecrets. get
composer. userworkloadssecrets. list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Composer Shared VPC Agent
(roles/ composer.sharedVpcAgent
)
Role that should be assigned to Composer Agent service account in Shared VPC host project
compute. networkAttachments. create
compute. networkAttachments. delete
compute.networkAttachments.get
compute. networkAttachments. update
compute.networks.access
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute. networks. listPeeringRoutes
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zones.*
dns.managedZones.get
dns.managedZones.list
dns. networks. targetWithPeeringZone
Composer User
(roles/ composer.user
)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer. userworkloadsconfigmaps. get
composer. userworkloadsconfigmaps. list
composer. userworkloadssecrets. get
composer. userworkloadssecrets. list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Composer Worker
(roles/ composer.worker
)
Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.
Lowest-level resources where you can grant this role:
artifactregistry.*
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudbuild.workerpools.use
composer.environments.get
container.*
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
datalineage.events.create
datalineage.processes.create
datalineage.processes.get
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.update
logging.logEntries.create
logging.logEntries.list
logging.logEntries.route
logging.views.access
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.*
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub. topics. detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Cloud Connectors roles
Permissions
Connector Admin
(roles/ connectors.admin
)
Full access to all resources of Connectors Service.
connectors.actions.*
connectors.connections.create
connectors.connections.delete
connectors. connections. executeSqlQuery
connectors. connections. generateOpenAPISpec
connectors.connections.get
connectors. connections. getConnectionSchemaMetadata
connectors. connections. getIamPolicy
connectors. connections. getRuntimeActionSchema
connectors. connections. getRuntimeEntitySchema
connectors.connections.list
connectors. connections. setIamPolicy
connectors.connections.update
connectors.connectors.*
connectors. customConnectorVersions.*
connectors.customConnectors.*
connectors. endpointAttachments.*
connectors.entities.*
connectors.entityTypes.list
connectors. eventSubscriptions.*
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.*
connectors.operations.*
connectors.providers.*
connectors.regionalSettings.*
connectors.runtimeconfig.get
connectors. schemaMetadata. refresh
connectors.settings.*
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager. secrets. getIamPolicy
Custom Connectors Admin
(roles/ connectors.customConnectorAdmin
)
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources
connectors. customConnectorVersions.*
connectors.customConnectors.*
connectors.locations.*
Custom Connector Viewer
(roles/ connectors.customConnectorViewer
)
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.
connectors. customConnectorVersions. get
connectors. customConnectorVersions. getIamPolicy
connectors. customConnectorVersions. list
connectors. customConnectors. get
connectors. customConnectors. getIamPolicy
connectors. customConnectors. list
connectors.locations.*
Connectors Endpoint Attachment Admin
(roles/ connectors.endpointAttachmentAdmin
)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.
connectors. endpointAttachments.*
connectors.locations.*
Connectors Endpoint Attachment Viewer
(roles/ connectors.endpointAttachmentViewer
)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources
connectors. endpointAttachments. get
connectors. endpointAttachments. getIamPolicy
connectors. endpointAttachments. list
connectors.locations.*
Connectors Event Subscriptions Admin
(roles/ connectors.eventSubscriptionAdmin
)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources
connectors. eventSubscriptions.*
Connectors Event Subscriptions Viewer
(roles/ connectors.eventSubscriptionViewer
)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.
connectors. eventSubscriptions. get
connectors. eventSubscriptions. list
Connector Invoker
(roles/ connectors.invoker
)
Full Access to invoke all operations on Connections.
connectors.actions.*
connectors. connections. executeSqlQuery
connectors.entities.*
connectors.entityTypes.list
Connector Event Listener
(roles/ connectors.listener
)
Full Access to listen events by connections.
connectors. connections. listenEvent
Connectors Managed Zone Admin
(roles/ connectors.managedZoneAdmin
)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources
connectors.locations.*
connectors.managedZones.*
Connectors Managed Zone Viewer
(roles/ connectors.managedZoneViewer
)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.
connectors.locations.*
connectors.managedZones.get
connectors. managedZones. getIamPolicy
connectors.managedZones.list
Connectors Viewer
(roles/ connectors.viewer
)
Read-only access to Connectors all resources.
connectors. connections. generateOpenAPISpec
connectors.connections.get
connectors. connections. getConnectionSchemaMetadata
connectors. connections. getIamPolicy
connectors. connections. getRuntimeActionSchema
connectors. connections. getRuntimeEntitySchema
connectors.connections.list
connectors.connectors.*
connectors. customConnectorVersions. get
connectors. customConnectorVersions. getIamPolicy
connectors. customConnectorVersions. list
connectors. customConnectors. get
connectors. customConnectors. getIamPolicy
connectors. customConnectors. list
connectors. endpointAttachments. get
connectors. endpointAttachments. getIamPolicy
connectors. endpointAttachments. list
connectors. eventSubscriptions. get
connectors. eventSubscriptions. list
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.get
connectors. managedZones. getIamPolicy
connectors.managedZones.list
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors. regionalSettings. get
connectors.runtimeconfig.get
connectors.settings.get
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion roles
Permissions
Cloud Data Fusion Accessor
Beta
(roles/ datafusion.accessor
)
Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.
datafusion.instances.get
datafusion. instances. getIamPolicy
datafusion.instances.list
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Admin
(roles/ datafusion.admin
)
Full access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Developer
Beta
(roles/ datafusion.developer
)
Access Cloud Data Fusion Instances, develop and run pipelines.
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion. instances. getIamPolicy
datafusion.instances.list
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
datafusion.locations.*
datafusion. namespaces. provisionCredential
datafusion. namespaces. readRepository
datafusion. namespaces. writeRepository
datafusion.operations.get
datafusion.operations.list
datafusion. pipelineConnections. get
datafusion. pipelineConnections. list
datafusion. pipelineConnections. use
datafusion.pipelines.*
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Operator
Beta
(roles/ datafusion.operator
)
Access Cloud Data Fusion Instances, operate namespaces and related resources.
datafusion.artifacts.*
datafusion.instances.get
datafusion. instances. getIamPolicy
datafusion.instances.list
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
datafusion.locations.*
datafusion.namespaces.*
datafusion.operations.get
datafusion.operations.list
datafusion. pipelineConnections. get
datafusion. pipelineConnections. list
datafusion. pipelineConnections. use
datafusion.pipelines.create
datafusion.pipelines.delete
datafusion.pipelines.execute
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.pipelines.update
datafusion.profiles.*
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Runner
(roles/ datafusion.runner
)
Access to Cloud Data Fusion runtime resources.
datafusion.instances.runtime
Cloud Data Fusion Viewer
(roles/ datafusion.viewer
)
Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion. instances. getIamPolicy
datafusion.instances.list
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
datafusion. pipelineConnections. get
datafusion. pipelineConnections. list
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Labeling roles
Permissions
Data Labeling Service Admin
Beta
(roles/ datalabeling.admin
)
Full access to all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Editor
Beta
(roles/ datalabeling.editor
)
Editor of all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Viewer
Beta
(roles/ datalabeling.viewer
)
Viewer of all Data Labeling resources
datalabeling. annotateddatasets. get
datalabeling. annotateddatasets. list
datalabeling. annotationspecsets. get
datalabeling. annotationspecsets. list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Dataplex roles
Permissions
Dataplex Administrator
(roles/ dataplex.admin
)
Full access to Dataplex resources, except Dataplex Catalog.
cloudasset. assets. analyzeIamPolicy
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.*
dataplex. dataAttributeBindings.*
dataplex.dataAttributes.*
dataplex.dataTaxonomies.*
dataplex.datascans.*
dataplex.encryptionConfig.*
dataplex.entities.*
dataplex.entryGroups.export
dataplex.entryGroups.import
dataplex.environments.*
dataplex.lakeActions.list
dataplex.lakes.*
dataplex.locations.*
dataplex.metadataJobs.*
dataplex.operations.*
dataplex.partitions.*
dataplex.tasks.*
dataplex.zoneActions.list
dataplex.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type Owner
(roles/ dataplex.aspectTypeOwner
)
Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.
datacatalog. migrationConfig. get
dataplex.aspectTypes.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type User
(roles/ dataplex.aspectTypeUser
)
Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.
datacatalog. migrationConfig. get
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Binding Administrator
(roles/ dataplex.bindingAdmin
)
Full access on DataAttribute Bindig resources.
dataplex. dataAttributeBindings.*
Dataplex Catalog Admin
(roles/ dataplex.catalogAdmin
)
Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries.
datacatalog. migrationConfig. get
dataplex.aspectTypes.*
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Editor
(roles/ dataplex.catalogEditor
)
Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources
datacatalog. migrationConfig. get
dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex. aspectTypes. getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex. entryGroups. getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex. entryGroups. useContactsAspect
dataplex. entryGroups. useGenericAspect
dataplex. entryGroups. useGenericEntry
dataplex. entryGroups. useOverviewAspect
dataplex. entryGroups. useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex. entryTypes. getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Viewer
(roles/ dataplex.catalogViewer
)
Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources.
datacatalog. migrationConfig. get
dataplex.aspectTypes.get
dataplex. aspectTypes. getIamPolicy
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex. entryGroups. getIamPolicy
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex. entryTypes. getIamPolicy
dataplex.entryTypes.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Data Owner
(roles/ dataplex.dataOwner
)
Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData
Dataplex Data Reader
(roles/ dataplex.dataReader
)
Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.readData
Dataplex DataScan Administrator
(roles/ dataplex.dataScanAdmin
)
Full access to DataScan resources.
dataplex.datascans.*
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Creator
(roles/ dataplex.dataScanCreator
)
Access to create new DataScan resources.
dataplex.datascans.create
dataplex.datascans.get
dataplex.datascans.list
dataplex.operations.get
Dataplex DataScan DataViewer
(roles/ dataplex.dataScanDataViewer
)
Read access to DataScan resources and additional contents.
dataplex.datascans.get
dataplex.datascans.getData
dataplex. datascans. getIamPolicy
dataplex.datascans.list
Dataplex DataScan Editor
(roles/ dataplex.dataScanEditor
)
Write access to DataScan resources.
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex. datascans. getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Viewer
(roles/ dataplex.dataScanViewer
)
Read access to DataScan resources.
dataplex.datascans.get
dataplex. datascans. getIamPolicy
dataplex.datascans.list
Dataplex Data Writer
(roles/ dataplex.dataWriter
)
Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.writeData
Dataplex Developer
(roles/ dataplex.developer
)
Allows running data analytics workloads in a lake.
dataplex.content.*
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
Dataplex Editor
(roles/ dataplex.editor
)
Write access to Dataplex resources.
cloudasset. assets. analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.update
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex. dataAttributeBindings. create
dataplex. dataAttributeBindings. delete
dataplex. dataAttributeBindings. get
dataplex. dataAttributeBindings. getIamPolicy
dataplex. dataAttributeBindings. list
dataplex. dataAttributeBindings. update
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex. dataAttributes. getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.update
dataplex. dataTaxonomies. configureDataAccess
dataplex. dataTaxonomies. configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex. dataTaxonomies. getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.update
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex. datascans. getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.get
dataplex. environments. getIamPolicy
dataplex.environments.list
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.update
dataplex.operations.*
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.update
Dataplex Encryption Admin
Beta
(roles/ dataplex.encryptionAdmin
)
Gives user permissions to manage encryption config.
dataplex.encryptionConfig.*
dataplex.operations.get
dataplex.operations.list
Dataplex Entry Group Exporter
Beta
(roles/ dataplex.entryGroupExporter
)
Grants access to export this entry group for Metadata Job processing.
dataplex.entryGroups.export
dataplex.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Importer
Beta
(roles/ dataplex.entryGroupImporter
)
Grants access to import this entry group for Metadata Job processing.
dataplex.entryGroups.get
dataplex.entryGroups.import
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Owner
(roles/ dataplex.entryGroupOwner
)
Owns Entry Groups and Entries inside of them.
datacatalog. migrationConfig. get
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Owner
(roles/ dataplex.entryOwner
)
Owns Metadata Entries.
datacatalog. migrationConfig. get
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.get
dataplex. entryGroups. useContactsAspect
dataplex. entryGroups. useGenericAspect
dataplex. entryGroups. useGenericEntry
dataplex. entryGroups. useOverviewAspect
dataplex. entryGroups. useSchemaAspect
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type Owner
(roles/ dataplex.entryTypeOwner
)
Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.
datacatalog. migrationConfig. get
dataplex.entryTypes.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type User
(roles/ dataplex.entryTypeUser
)
Grants access to use Entry Types to create/modify Entries of those types.
datacatalog. migrationConfig. get
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataplex.metadataJobOwner
)
Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.
dataplex.metadataJobs.*
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataplex.metadataJobViewer
)
Read access to Metadata Job resources.
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataplex.metadataReader
)
Read only access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.get
dataplex.entities.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataplex.metadataWriter
)
Write and Read access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.*
dataplex.partitions.*
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Security Administrator
(roles/ dataplex.securityAdmin
)
Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.
dataplex. dataTaxonomies. configureDataAccess
dataplex. dataTaxonomies. configureResourceAccess
Dataplex Storage Data Owner
(roles/ dataplex.storageDataOwner
)
Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery. tables. restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Storage Data Reader
(roles/ dataplex.storageDataReader
)
Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataplex Storage Data Writer
(roles/ dataplex.storageDataWriter
)
Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.tables.updateData
storage.objects.create
storage.objects.delete
storage.objects.update
Dataplex Taxonomy Administrator
(roles/ dataplex.taxonomyAdmin
)
Full access to DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.*
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex. dataTaxonomies. getIamPolicy
dataplex.dataTaxonomies.list
dataplex. dataTaxonomies. setIamPolicy
dataplex.dataTaxonomies.update
Dataplex Taxonomy Viewer
(roles/ dataplex.taxonomyViewer
)
Read access on DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.get
dataplex. dataAttributes. getIamPolicy
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex. dataTaxonomies. getIamPolicy
dataplex.dataTaxonomies.list
Dataplex Viewer
(roles/ dataplex.viewer
)
Read access to Dataplex resources.
cloudasset. assets. analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex. dataAttributeBindings. get
dataplex. dataAttributeBindings. getIamPolicy
dataplex. dataAttributeBindings. list
dataplex.dataAttributes.get
dataplex. dataAttributes. getIamPolicy
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex. dataTaxonomies. getIamPolicy
dataplex.dataTaxonomies.list
dataplex.datascans.get
dataplex. datascans. getIamPolicy
dataplex.datascans.list
dataplex.environments.get
dataplex. environments. getIamPolicy
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
Cloud Debugger roles
Permissions
Cloud Debugger Agent
Beta
(roles/ clouddebugger.agent
)
Provides permissions to register the debug target, read active breakpoints,
and report breakpoint results.
Lowest-level resources where you can grant this role:
clouddebugger.breakpoints.list
clouddebugger. breakpoints. listActive
clouddebugger. breakpoints. update
clouddebugger.debuggees.create
Cloud Debugger User
Beta
(roles/ clouddebugger.user
)
Provides permissions to create, view, list, and delete breakpoints
(snapshots & logpoints) as well as list debug targets (debuggees).
Lowest-level resources where you can grant this role:
clouddebugger. breakpoints. create
clouddebugger. breakpoints. delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Cloud Deploy roles
Permissions
Cloud Deploy Admin
(roles/ clouddeploy.admin
)
Full control of Cloud Deploy resources.
clouddeploy.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Approver
(roles/ clouddeploy.approver
)
Permission to approve or reject rollouts.
clouddeploy.config.get
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.rollouts.approve
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Custom Target Type Admin
(roles/ clouddeploy.customTargetTypeAdmin
)
Permission to manage CustomTargetType resources
clouddeploy.config.get
clouddeploy. customTargetTypes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Developer
(roles/ clouddeploy.developer
)
Permission to manage deployment configuration without permission to access operational resources, such as targets.
clouddeploy.automationRuns.get
clouddeploy. automationRuns. list
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy. deliveryPipelines. create
clouddeploy. deliveryPipelines. createTagBinding
clouddeploy. deliveryPipelines. delete
clouddeploy. deliveryPipelines. deleteTagBinding
clouddeploy. deliveryPipelines. get
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy. deliveryPipelines. list
clouddeploy. deliveryPipelines. listEffectiveTags
clouddeploy. deliveryPipelines. listTagBindings
clouddeploy. deliveryPipelines. update
clouddeploy.deployPolicies.get
clouddeploy. deployPolicies. list
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Runner
(roles/ clouddeploy.jobRunner
)
Permission to execute Cloud Deploy work without permission to deliver to a target.
clouddeploy.config.get
logging.logEntries.create
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Deploy Operator
(roles/ clouddeploy.operator
)
Permission to manage deployment configuration.
clouddeploy.automationRuns.*
clouddeploy.automations.*
clouddeploy.config.get
clouddeploy. customTargetTypes. get
clouddeploy. customTargetTypes. getIamPolicy
clouddeploy. customTargetTypes. list
clouddeploy. deliveryPipelines. create
clouddeploy. deliveryPipelines. createTagBinding
clouddeploy. deliveryPipelines. delete
clouddeploy. deliveryPipelines. deleteTagBinding
clouddeploy. deliveryPipelines. get
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy. deliveryPipelines. list
clouddeploy. deliveryPipelines. listEffectiveTags
clouddeploy. deliveryPipelines. listTagBindings
clouddeploy. deliveryPipelines. update
clouddeploy.deployPolicies.get
clouddeploy. deployPolicies. list
clouddeploy.jobRuns.*
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.rollouts.rollback
clouddeploy.targets.create
clouddeploy. targets. createTagBinding
clouddeploy.targets.delete
clouddeploy. targets. deleteTagBinding
clouddeploy.targets.get
clouddeploy. targets. getIamPolicy
clouddeploy.targets.list
clouddeploy. targets. listEffectiveTags
clouddeploy. targets. listTagBindings
clouddeploy.targets.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Policy Admin
Beta
(roles/ clouddeploy.policyAdmin
)
Permission to manage Deploy Policies.
clouddeploy.deployPolicies.*
clouddeploy.locations.*
clouddeploy.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Policy Overrider
Beta
(roles/ clouddeploy.policyOverrider
)
Permission to override Deploy Policies.
clouddeploy.deployPolicies.get
clouddeploy. deployPolicies. list
clouddeploy. deployPolicies. override
clouddeploy.locations.*
clouddeploy.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Releaser
(roles/ clouddeploy.releaser
)
Permission to create Cloud Deploy releases and rollouts.
clouddeploy.config.get
clouddeploy. customTargetTypes. get
clouddeploy. deliveryPipelines. get
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.rollouts.rollback
clouddeploy.targets.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Viewer
(roles/ clouddeploy.viewer
)
Can view Cloud Deploy resources.
clouddeploy.automationRuns.get
clouddeploy. automationRuns. list
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy. customTargetTypes. get
clouddeploy. customTargetTypes. getIamPolicy
clouddeploy. customTargetTypes. list
clouddeploy. deliveryPipelines. get
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy. deliveryPipelines. list
clouddeploy. deliveryPipelines. listEffectiveTags
clouddeploy. deliveryPipelines. listTagBindings
clouddeploy.deployPolicies.get
clouddeploy. deployPolicies. list
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
clouddeploy. targets. getIamPolicy
clouddeploy.targets.list
clouddeploy. targets. listEffectiveTags
clouddeploy. targets. listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
Cloud DLP roles
Permissions
DLP Administrator
(roles/ dlp.admin
)
Administer DLP including jobs and templates.
dlp.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Analyze Risk Templates Editor
(roles/ dlp.analyzeRiskTemplatesEditor
)
Edit DLP analyze risk templates.
dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader
(roles/ dlp.analyzeRiskTemplatesReader
)
Read DLP analyze risk templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader
(roles/ dlp.columnDataProfilesReader
)
Read DLP column profiles.
dlp.columnDataProfiles.*
DLP Connections Admin
(roles/ dlp.connectionsAdmin
)
Manage DLP Connections.
dlp.connections.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Connections Viewer
(roles/ dlp.connectionsReader
)
View DLP Connections.
dlp.connections.get
dlp.connections.list
dlp.connections.search
DLP Data Profiles Admin
(roles/ dlp.dataProfilesAdmin
)
Manage DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.fileStoreProfiles.*
dlp.projectDataProfiles.*
dlp.tableDataProfiles.*
DLP Data Profiles Reader
(roles/ dlp.dataProfilesReader
)
Read DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list
dlp.projectDataProfiles.*
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP De-identify Templates Editor
(roles/ dlp.deidentifyTemplatesEditor
)
Edit DLP de-identify templates.
dlp.deidentifyTemplates.*
DLP De-identify Templates Reader
(roles/ dlp.deidentifyTemplatesReader
)
Read DLP de-identify templates.
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
DLP Cost Estimation
(roles/ dlp.estimatesAdmin
)
Manage DLP Cost Estimates.
dlp.estimates.*
DLP File Store Data Profiles Admin
(roles/ dlp.fileStoreProfilesAdmin
)
Manage DLP file store profiles.
dlp.fileStoreProfiles.*
DLP File Store Data Profiles Reader
(roles/ dlp.fileStoreProfilesReader
)
Read DLP file store profiles.
dlp.charts.get
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list
DLP Inspect Findings Reader
(roles/ dlp.inspectFindingsReader
)
Read DLP stored findings.
dlp.inspectFindings.list
DLP Inspect Templates Editor
(roles/ dlp.inspectTemplatesEditor
)
Edit DLP inspect templates.
dlp.inspectTemplates.*
DLP Inspect Templates Reader
(roles/ dlp.inspectTemplatesReader
)
Read DLP inspect templates.
dlp.inspectTemplates.get
dlp.inspectTemplates.list
DLP Job Triggers Editor
(roles/ dlp.jobTriggersEditor
)
Edit job triggers configurations.
dlp.jobTriggers.*
DLP Job Triggers Reader
(roles/ dlp.jobTriggersReader
)
Read job triggers.
dlp.jobTriggers.get
dlp.jobTriggers.list
DLP Jobs Editor
(roles/ dlp.jobsEditor
)
Edit and create jobs
dlp.jobs.*
dlp.kms.encrypt
DLP Jobs Reader
(roles/ dlp.jobsReader
)
Read jobs
dlp.jobs.get
dlp.jobs.list
DLP Organization Data Profiles Driver
(roles/ dlp.orgdriver
)
Permissions needed by the DLP service account to generate data profiles within an organization or folder.
Lowest-level resources where you can grant this role:
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform. annotationSpecs. list
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform. batchPredictionJobs. get
aiplatform. batchPredictionJobs. list
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform. contexts. queryContextLineageSubgraph
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform. dataLabelingJobs. get
aiplatform. dataLabelingJobs. list
aiplatform.datasetVersions.get
aiplatform. datasetVersions. list
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform. deploymentResourcePools. get
aiplatform. deploymentResourcePools. list
aiplatform. deploymentResourcePools. queryDeployedModels
aiplatform. edgeDeploymentJobs. get
aiplatform. edgeDeploymentJobs. list
aiplatform. edgeDeviceDebugInfo. get
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform. executions. queryExecutionInputsAndOutputs
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform.featureViewSyncs.*
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform. humanInTheLoops. list
aiplatform. hyperparameterTuningJobs. get
aiplatform. hyperparameterTuningJobs. list
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform. indexEndpoints. queryVectors
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.*
aiplatform.metadataSchemas.get
aiplatform. metadataSchemas. list
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform. modelDeploymentMonitoringJobs. get
aiplatform. modelDeploymentMonitoringJobs. list
aiplatform. modelDeploymentMonitoringJobs. searchStatsAnomalies
aiplatform. modelEvaluationSlices. get
aiplatform. modelEvaluationSlices. list
aiplatform. modelEvaluations. get
aiplatform. modelEvaluations. list
aiplatform. modelMonitoringJobs. get
aiplatform. modelMonitoringJobs. list
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform. modelMonitors. searchModelMonitoringAlerts
aiplatform. modelMonitors. searchModelMonitoringStats
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform. notebookExecutionJobs. get
aiplatform. notebookExecutionJobs. list
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimes. get
aiplatform. notebookRuntimes. list
aiplatform.operations.list
aiplatform. persistentResources. get
aiplatform. persistentResources. list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform. reasoningEngines. get
aiplatform. reasoningEngines. list
aiplatform. reasoningEngines. query
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform. specialistPools. list
aiplatform. specialistPools. update
aiplatform.studies.get
aiplatform.studies.list
aiplatform. tensorboardExperiments. get
aiplatform. tensorboardExperiments. list
aiplatform.tensorboardRuns.get
aiplatform. tensorboardRuns. list
aiplatform. tensorboardTimeSeries. batchRead
aiplatform. tensorboardTimeSeries. get
aiplatform. tensorboardTimeSeries. list
aiplatform. tensorboardTimeSeries. read
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform. trainingPipelines. get
aiplatform. trainingPipelines. list
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
alloydb. backups. createTagBinding
alloydb. backups. deleteTagBinding
alloydb.backups.get
alloydb.backups.list
alloydb. backups. listEffectiveTags
alloydb. backups. listTagBindings
alloydb. clusters. createTagBinding
alloydb. clusters. deleteTagBinding
alloydb.clusters.export
alloydb. clusters. generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb. clusters. listEffectiveTags
alloydb. clusters. listTagBindings
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb. supportedDatabaseFlags.*
alloydb.users.get
alloydb.users.list
alloydb.users.login
artifactregistry. repositories. createTagBinding
artifactregistry. repositories. deleteTagBinding
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
bigquery.bireservations.get
bigquery. capacityCommitments. get
bigquery. capacityCommitments. list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery. datasets. createTagBinding
bigquery. datasets. deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery. datasets. listEffectiveTags
bigquery. datasets. listTagBindings
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery. jobs. listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery. reservationAssignments. list
bigquery. reservationAssignments. search
bigquery.reservations.get
bigquery.reservations.list
bigquery. reservations. listFailoverDatasets
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery. tables. createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery. tables. deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery. tables. listEffectiveTags
bigquery. tables. listTagBindings
bigquery.tables.replicateData
bigquery. tables. restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration. translation. translate
bigtable. authorizedViews. createTagBinding
bigtable. authorizedViews. deleteTagBinding
bigtable. authorizedViews. listEffectiveTags
bigtable. authorizedViews. listTagBindings
bigtable. instances. createTagBinding
bigtable. instances. deleteTagBinding
bigtable. instances. listEffectiveTags
bigtable. instances. listTagBindings
cloudaicompanion. entitlements. get
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
clouddeploy. deliveryPipelines. createTagBinding
clouddeploy. deliveryPipelines. deleteTagBinding
clouddeploy. deliveryPipelines. listEffectiveTags
clouddeploy. deliveryPipelines. listTagBindings
clouddeploy. targets. createTagBinding
clouddeploy. targets. deleteTagBinding
clouddeploy. targets. listEffectiveTags
clouddeploy. targets. listTagBindings
cloudkms. keyRings. createTagBinding
cloudkms. keyRings. deleteTagBinding
cloudkms. keyRings. listEffectiveTags
cloudkms. keyRings. listTagBindings
cloudsql.instances.connect
cloudsql. instances. createTagBinding
cloudsql. instances. deleteTagBinding
cloudsql.instances.get
cloudsql. instances. listEffectiveTags
cloudsql. instances. listTagBindings
cloudsql.instances.login
compute. addresses. createTagBinding
compute. addresses. deleteTagBinding
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute. backendBuckets. createTagBinding
compute. backendBuckets. deleteTagBinding
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute. backendServices. createTagBinding
compute. backendServices. deleteTagBinding
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. createTagBinding
compute. externalVpnGateways. deleteTagBinding
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute. firewallPolicies. createTagBinding
compute. firewallPolicies. deleteTagBinding
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute. firewalls. createTagBinding
compute. firewalls. deleteTagBinding
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute. forwardingRules. createTagBinding
compute. forwardingRules. deleteTagBinding
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute. globalAddresses. createTagBinding
compute. globalAddresses. deleteTagBinding
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. createTagBinding
compute. globalForwardingRules. deleteTagBinding
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalNetworkEndpointGroups. createTagBinding
compute. globalNetworkEndpointGroups. deleteTagBinding
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute. healthChecks. createTagBinding
compute. healthChecks. deleteTagBinding
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute. httpHealthChecks. createTagBinding
compute. httpHealthChecks. deleteTagBinding
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute. httpsHealthChecks. createTagBinding
compute. httpsHealthChecks. deleteTagBinding
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. images. createTagBinding
compute. images. deleteTagBinding
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. createTagBinding
compute. instanceGroupManagers. deleteTagBinding
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute. instanceGroups. createTagBinding
compute. instanceGroups. deleteTagBinding
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute. instances. createTagBinding
compute. instances. deleteTagBinding
compute. instances. listEffectiveTags
compute. instances. listTagBindings
compute. interconnectAttachments. createTagBinding
compute. interconnectAttachments. deleteTagBinding
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnects. createTagBinding
compute. interconnects. deleteTagBinding
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute. networkAttachments. createTagBinding
compute. networkAttachments. deleteTagBinding
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. createTagBinding
compute. networkEdgeSecurityServices. deleteTagBinding
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. createTagBinding
compute. networkEndpointGroups. deleteTagBinding
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute. networks. createTagBinding
compute. networks. deleteTagBinding
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute. packetMirrorings. createTagBinding
compute. packetMirrorings. deleteTagBinding
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute. publicDelegatedPrefixes. createTagBinding
compute. publicDelegatedPrefixes. deleteTagBinding
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. createTagBinding
compute. regionBackendServices. deleteTagBinding
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. createTagBinding
compute. regionFirewallPolicies. deleteTagBinding
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthChecks. createTagBinding
compute. regionHealthChecks. deleteTagBinding
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. createTagBinding
compute. regionNetworkEndpointGroups. deleteTagBinding
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionSecurityPolicies. createTagBinding
compute. regionSecurityPolicies. deleteTagBinding
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. createTagBinding
compute. regionSslCertificates. deleteTagBinding
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute. regionSslPolicies. createTagBinding
compute. regionSslPolicies. deleteTagBinding
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. createTagBinding
compute. regionTargetHttpProxies. deleteTagBinding
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. createTagBinding
compute. regionTargetHttpsProxies. deleteTagBinding
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. createTagBinding
compute. regionTargetTcpProxies. deleteTagBinding
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute. regionUrlMaps. createTagBinding
compute. regionUrlMaps. deleteTagBinding
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute. routers. createTagBinding
compute. routers. deleteTagBinding
compute. routers. listEffectiveTags
compute. routers. listTagBindings
compute. routes. createTagBinding
compute. routes. deleteTagBinding
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute. securityPolicies. createTagBinding
compute. securityPolicies. deleteTagBinding
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute. serviceAttachments. createTagBinding
compute. serviceAttachments. deleteTagBinding
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. snapshots. createTagBinding
compute. snapshots. deleteTagBinding
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute. sslCertificates. createTagBinding
compute. sslCertificates. deleteTagBinding
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute. sslPolicies. createTagBinding
compute. sslPolicies. deleteTagBinding
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute. subnetworks. createTagBinding
compute. subnetworks. deleteTagBinding
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute. targetGrpcProxies. createTagBinding
compute. targetGrpcProxies. deleteTagBinding
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute. targetHttpProxies. createTagBinding
compute. targetHttpProxies. deleteTagBinding
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute. targetHttpsProxies. createTagBinding
compute. targetHttpsProxies. deleteTagBinding
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute. targetInstances. createTagBinding
compute. targetInstances. deleteTagBinding
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute. targetPools. createTagBinding
compute. targetPools. deleteTagBinding
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute. targetSslProxies. createTagBinding
compute. targetSslProxies. deleteTagBinding
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute. targetTcpProxies. createTagBinding
compute. targetTcpProxies. deleteTagBinding
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute. targetVpnGateways. createTagBinding
compute. targetVpnGateways. deleteTagBinding
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute. urlMaps. createTagBinding
compute. urlMaps. deleteTagBinding
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute. vpnGateways. createTagBinding
compute. vpnGateways. deleteTagBinding
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute. vpnTunnels. createTagBinding
compute. vpnTunnels. deleteTagBinding
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
container. clusters. createTagBinding
container. clusters. deleteTagBinding
container. clusters. listEffectiveTags
container. clusters. listTagBindings
datacatalog. categories. fineGrainedGet
datacatalog.entries.updateTag
datacatalog. entryGroups. updateTag
datacatalog. tagTemplates. create
datacatalog.tagTemplates.get
datacatalog. tagTemplates. getTag
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
datafusion. instances. createTagBinding
datafusion. instances. deleteTagBinding
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
dataplex.projects.search
datastore. databases. createTagBinding
datastore. databases. deleteTagBinding
datastore. databases. listEffectiveTags
datastore. databases. listTagBindings
datastream. connectionProfiles. createTagBinding
datastream. connectionProfiles. deleteTagBinding
datastream. connectionProfiles. listEffectiveTags
datastream. connectionProfiles. listTagBindings
datastream. privateConnections. createTagBinding
datastream. privateConnections. deleteTagBinding
datastream. privateConnections. listEffectiveTags
datastream. privateConnections. listTagBindings
datastream. streams. createTagBinding
datastream. streams. deleteTagBinding
datastream. streams. listEffectiveTags
datastream. streams. listTagBindings
dlp.*
domains. registrations. createTagBinding
domains. registrations. deleteTagBinding
domains. registrations. listEffectiveTags
domains. registrations. listTagBindings
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file. instances. createTagBinding
file. instances. deleteTagBinding
file. instances. listEffectiveTags
file.instances.listTagBindings
file. snapshots. createTagBinding
file. snapshots. deleteTagBinding
file. snapshots. listEffectiveTags
file.snapshots.listTagBindings
iam. serviceAccounts. createTagBinding
iam. serviceAccounts. deleteTagBinding
iam. serviceAccounts. listEffectiveTags
iam. serviceAccounts. listTagBindings
logging. buckets. createTagBinding
logging. buckets. deleteTagBinding
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
managedidentities. domains. createTagBinding
managedidentities. domains. deleteTagBinding
managedidentities. domains. listEffectiveTags
managedidentities. domains. listTagBindings
pubsub.topics.updateTag
recommender. alloydbClusterPerformanceInsights. get
recommender. alloydbClusterPerformanceInsights. list
recommender. alloydbClusterPerformanceRecommendations. get
recommender. alloydbClusterPerformanceRecommendations. list
recommender. alloydbClusterReliabilityInsights. get
recommender. alloydbClusterReliabilityInsights. list
recommender. alloydbClusterReliabilityRecommendations. get
recommender. alloydbClusterReliabilityRecommendations. list
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
redis. instances. createTagBinding
redis. instances. deleteTagBinding
redis. instances. listEffectiveTags
redis. instances. listTagBindings
resourcemanager. hierarchyNodes.*
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager. tagValueBindings.*
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager. secrets. createTagBinding
secretmanager. secrets. deleteTagBinding
secretmanager. secrets. listEffectiveTags
secretmanager. secrets. listTagBindings
serviceusage.services.use
spanner. instances. createTagBinding
spanner. instances. deleteTagBinding
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
storage. buckets. createTagBinding
storage. buckets. deleteTagBinding
storage.buckets.getIamPolicy
storage. buckets. listEffectiveTags
storage. buckets. listTagBindings
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
workflows. workflows. createTagBinding
workflows. workflows. deleteTagBinding
workflows. workflows. listEffectiveTags
workflows. workflows. listTagBindings
DLP Project Data Profiles Reader
(roles/ dlp.projectDataProfilesReader
)
Read DLP project profiles.
dlp.projectDataProfiles.*
DLP Project Data Profiles Driver
(roles/ dlp.projectdriver
)
Permissions needed by the DLP service account to generate data profiles within a project.
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform. annotationSpecs. list
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform. batchPredictionJobs. get
aiplatform. batchPredictionJobs. list
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform. contexts. queryContextLineageSubgraph
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform. dataLabelingJobs. get
aiplatform. dataLabelingJobs. list
aiplatform.datasetVersions.get
aiplatform. datasetVersions. list
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform. deploymentResourcePools. get
aiplatform. deploymentResourcePools. list
aiplatform. deploymentResourcePools. queryDeployedModels
aiplatform. edgeDeploymentJobs. get
aiplatform. edgeDeploymentJobs. list
aiplatform. edgeDeviceDebugInfo. get
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform. executions. queryExecutionInputsAndOutputs
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform.featureViewSyncs.*
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform. humanInTheLoops. list
aiplatform. hyperparameterTuningJobs. get
aiplatform. hyperparameterTuningJobs. list
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform. indexEndpoints. queryVectors
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.*
aiplatform.metadataSchemas.get
aiplatform. metadataSchemas. list
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform. modelDeploymentMonitoringJobs. get
aiplatform. modelDeploymentMonitoringJobs. list
aiplatform. modelDeploymentMonitoringJobs. searchStatsAnomalies
aiplatform. modelEvaluationSlices. get
aiplatform. modelEvaluationSlices. list
aiplatform. modelEvaluations. get
aiplatform. modelEvaluations. list
aiplatform. modelMonitoringJobs. get
aiplatform. modelMonitoringJobs. list
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform. modelMonitors. searchModelMonitoringAlerts
aiplatform. modelMonitors. searchModelMonitoringStats
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform. notebookExecutionJobs. get
aiplatform. notebookExecutionJobs. list
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimes. get
aiplatform. notebookRuntimes. list
aiplatform.operations.list
aiplatform. persistentResources. get
aiplatform. persistentResources. list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform. reasoningEngines. get
aiplatform. reasoningEngines. list
aiplatform. reasoningEngines. query
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform. specialistPools. list
aiplatform. specialistPools. update
aiplatform.studies.get
aiplatform.studies.list
aiplatform. tensorboardExperiments. get
aiplatform. tensorboardExperiments. list
aiplatform.tensorboardRuns.get
aiplatform. tensorboardRuns. list
aiplatform. tensorboardTimeSeries. batchRead
aiplatform. tensorboardTimeSeries. get
aiplatform. tensorboardTimeSeries. list
aiplatform. tensorboardTimeSeries. read
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform. trainingPipelines. get
aiplatform. trainingPipelines. list
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
alloydb. backups. createTagBinding
alloydb. backups. deleteTagBinding
alloydb.backups.get
alloydb.backups.list
alloydb. backups. listEffectiveTags
alloydb. backups. listTagBindings
alloydb. clusters. createTagBinding
alloydb. clusters. deleteTagBinding
alloydb.clusters.export
alloydb. clusters. generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb. clusters. listEffectiveTags
alloydb. clusters. listTagBindings
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb. supportedDatabaseFlags.*
alloydb.users.get
alloydb.users.list
alloydb.users.login
artifactregistry. repositories. createTagBinding
artifactregistry. repositories. deleteTagBinding
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
bigquery.bireservations.get
bigquery. capacityCommitments. get
bigquery. capacityCommitments. list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery. datasets. createTagBinding
bigquery. datasets. deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery. datasets. listEffectiveTags
bigquery. datasets. listTagBindings
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery. jobs. listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery. reservationAssignments. list
bigquery. reservationAssignments. search
bigquery.reservations.get
bigquery.reservations.list
bigquery. reservations. listFailoverDatasets
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery. tables. createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery. tables. deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery. tables. listEffectiveTags
bigquery. tables. listTagBindings
bigquery.tables.replicateData
bigquery. tables. restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration. translation. translate
bigtable. authorizedViews. createTagBinding
bigtable. authorizedViews. deleteTagBinding
bigtable. authorizedViews. listEffectiveTags
bigtable. authorizedViews. listTagBindings
bigtable. instances. createTagBinding
bigtable. instances. deleteTagBinding
bigtable. instances. listEffectiveTags
bigtable. instances. listTagBindings
cloudaicompanion. entitlements. get
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
clouddeploy. deliveryPipelines. createTagBinding
clouddeploy. deliveryPipelines. deleteTagBinding
clouddeploy. deliveryPipelines. listEffectiveTags
clouddeploy. deliveryPipelines. listTagBindings
clouddeploy. targets. createTagBinding
clouddeploy. targets. deleteTagBinding
clouddeploy. targets. listEffectiveTags
clouddeploy. targets. listTagBindings
cloudkms. keyRings. createTagBinding
cloudkms. keyRings. deleteTagBinding
cloudkms. keyRings. listEffectiveTags
cloudkms. keyRings. listTagBindings
cloudsql.instances.connect
cloudsql. instances. createTagBinding
cloudsql. instances. deleteTagBinding
cloudsql.instances.get
cloudsql. instances. listEffectiveTags
cloudsql. instances. listTagBindings
cloudsql.instances.login
compute. addresses. createTagBinding
compute. addresses. deleteTagBinding
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute. backendBuckets. createTagBinding
compute. backendBuckets. deleteTagBinding
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute. backendServices. createTagBinding
compute. backendServices. deleteTagBinding
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. createTagBinding
compute. externalVpnGateways. deleteTagBinding
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute. firewallPolicies. createTagBinding
compute. firewallPolicies. deleteTagBinding
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute. firewalls. createTagBinding
compute. firewalls. deleteTagBinding
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute. forwardingRules. createTagBinding
compute. forwardingRules. deleteTagBinding
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute. globalAddresses. createTagBinding
compute. globalAddresses. deleteTagBinding
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. createTagBinding
compute. globalForwardingRules. deleteTagBinding
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalNetworkEndpointGroups. createTagBinding
compute. globalNetworkEndpointGroups. deleteTagBinding
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute. healthChecks. createTagBinding
compute. healthChecks. deleteTagBinding
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute. httpHealthChecks. createTagBinding
compute. httpHealthChecks. deleteTagBinding
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute. httpsHealthChecks. createTagBinding
compute. httpsHealthChecks. deleteTagBinding
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. images. createTagBinding
compute. images. deleteTagBinding
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. createTagBinding
compute. instanceGroupManagers. deleteTagBinding
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute. instanceGroups. createTagBinding
compute. instanceGroups. deleteTagBinding
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute. instances. createTagBinding
compute. instances. deleteTagBinding
compute. instances. listEffectiveTags
compute. instances. listTagBindings
compute. interconnectAttachments. createTagBinding
compute. interconnectAttachments. deleteTagBinding
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnects. createTagBinding
compute. interconnects. deleteTagBinding
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute. networkAttachments. createTagBinding
compute. networkAttachments. deleteTagBinding
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. createTagBinding
compute. networkEdgeSecurityServices. deleteTagBinding
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. createTagBinding
compute. networkEndpointGroups. deleteTagBinding
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute. networks. createTagBinding
compute. networks. deleteTagBinding
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute. packetMirrorings. createTagBinding
compute. packetMirrorings. deleteTagBinding
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute. publicDelegatedPrefixes. createTagBinding
compute. publicDelegatedPrefixes. deleteTagBinding
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. createTagBinding
compute. regionBackendServices. deleteTagBinding
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. createTagBinding
compute. regionFirewallPolicies. deleteTagBinding
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthChecks. createTagBinding
compute. regionHealthChecks. deleteTagBinding
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. createTagBinding
compute. regionNetworkEndpointGroups. deleteTagBinding
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionSecurityPolicies. createTagBinding
compute. regionSecurityPolicies. deleteTagBinding
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. createTagBinding
compute. regionSslCertificates. deleteTagBinding
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute. regionSslPolicies. createTagBinding
compute. regionSslPolicies. deleteTagBinding
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. createTagBinding
compute. regionTargetHttpProxies. deleteTagBinding
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. createTagBinding
compute. regionTargetHttpsProxies. deleteTagBinding
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. createTagBinding
compute. regionTargetTcpProxies. deleteTagBinding
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute. regionUrlMaps. createTagBinding
compute. regionUrlMaps. deleteTagBinding
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute. routers. createTagBinding
compute. routers. deleteTagBinding
compute. routers. listEffectiveTags
compute. routers. listTagBindings
compute. routes. createTagBinding
compute. routes. deleteTagBinding
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute. securityPolicies. createTagBinding
compute. securityPolicies. deleteTagBinding
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute. serviceAttachments. createTagBinding
compute. serviceAttachments. deleteTagBinding
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. snapshots. createTagBinding
compute. snapshots. deleteTagBinding
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute. sslCertificates. createTagBinding
compute. sslCertificates. deleteTagBinding
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute. sslPolicies. createTagBinding
compute. sslPolicies. deleteTagBinding
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute. subnetworks. createTagBinding
compute. subnetworks. deleteTagBinding
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute. targetGrpcProxies. createTagBinding
compute. targetGrpcProxies. deleteTagBinding
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute. targetHttpProxies. createTagBinding
compute. targetHttpProxies. deleteTagBinding
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute. targetHttpsProxies. createTagBinding
compute. targetHttpsProxies. deleteTagBinding
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute. targetInstances. createTagBinding
compute. targetInstances. deleteTagBinding
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute. targetPools. createTagBinding
compute. targetPools. deleteTagBinding
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute. targetSslProxies. createTagBinding
compute. targetSslProxies. deleteTagBinding
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute. targetTcpProxies. createTagBinding
compute. targetTcpProxies. deleteTagBinding
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute. targetVpnGateways. createTagBinding
compute. targetVpnGateways. deleteTagBinding
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute. urlMaps. createTagBinding
compute. urlMaps. deleteTagBinding
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute. vpnGateways. createTagBinding
compute. vpnGateways. deleteTagBinding
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute. vpnTunnels. createTagBinding
compute. vpnTunnels. deleteTagBinding
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
container. clusters. createTagBinding
container. clusters. deleteTagBinding
container. clusters. listEffectiveTags
container. clusters. listTagBindings
datacatalog. categories. fineGrainedGet
datacatalog.entries.updateTag
datacatalog. entryGroups. updateTag
datacatalog. tagTemplates. create
datacatalog.tagTemplates.get
datacatalog. tagTemplates. getTag
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
datafusion. instances. createTagBinding
datafusion. instances. deleteTagBinding
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
dataplex.projects.search
datastore. databases. createTagBinding
datastore. databases. deleteTagBinding
datastore. databases. listEffectiveTags
datastore. databases. listTagBindings
datastream. connectionProfiles. createTagBinding
datastream. connectionProfiles. deleteTagBinding
datastream. connectionProfiles. listEffectiveTags
datastream. connectionProfiles. listTagBindings
datastream. privateConnections. createTagBinding
datastream. privateConnections. deleteTagBinding
datastream. privateConnections. listEffectiveTags
datastream. privateConnections. listTagBindings
datastream. streams. createTagBinding
datastream. streams. deleteTagBinding
datastream. streams. listEffectiveTags
datastream. streams. listTagBindings
dlp.*
domains. registrations. createTagBinding
domains. registrations. deleteTagBinding
domains. registrations. listEffectiveTags
domains. registrations. listTagBindings
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file. instances. createTagBinding
file. instances. deleteTagBinding
file. instances. listEffectiveTags
file.instances.listTagBindings
file. snapshots. createTagBinding
file. snapshots. deleteTagBinding
file. snapshots. listEffectiveTags
file.snapshots.listTagBindings
iam. serviceAccounts. createTagBinding
iam. serviceAccounts. deleteTagBinding
iam. serviceAccounts. listEffectiveTags
iam. serviceAccounts. listTagBindings
logging. buckets. createTagBinding
logging. buckets. deleteTagBinding
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
managedidentities. domains. createTagBinding
managedidentities. domains. deleteTagBinding
managedidentities. domains. listEffectiveTags
managedidentities. domains. listTagBindings
pubsub.topics.updateTag
recommender. alloydbClusterPerformanceInsights. get
recommender. alloydbClusterPerformanceInsights. list
recommender. alloydbClusterPerformanceRecommendations. get
recommender. alloydbClusterPerformanceRecommendations. list
recommender. alloydbClusterReliabilityInsights. get
recommender. alloydbClusterReliabilityInsights. list
recommender. alloydbClusterReliabilityRecommendations. get
recommender. alloydbClusterReliabilityRecommendations. list
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
redis. instances. createTagBinding
redis. instances. deleteTagBinding
redis. instances. listEffectiveTags
redis. instances. listTagBindings
resourcemanager. hierarchyNodes.*
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager. tagValueBindings.*
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager. secrets. createTagBinding
secretmanager. secrets. deleteTagBinding
secretmanager. secrets. listEffectiveTags
secretmanager. secrets. listTagBindings
serviceusage.services.use
spanner. instances. createTagBinding
spanner. instances. deleteTagBinding
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
storage. buckets. createTagBinding
storage. buckets. deleteTagBinding
storage.buckets.getIamPolicy
storage. buckets. listEffectiveTags
storage. buckets. listTagBindings
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
workflows. workflows. createTagBinding
workflows. workflows. deleteTagBinding
workflows. workflows. listEffectiveTags
workflows. workflows. listTagBindings
DLP Reader
(roles/ dlp.reader
)
Read DLP entities, such as jobs and templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectFindings.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.locations.*
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor
(roles/ dlp.storedInfoTypesEditor
)
Edit DLP stored info types.
dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader
(roles/ dlp.storedInfoTypesReader
)
Read DLP stored info types.
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Subscription Admin
(roles/ dlp.subscriptionsAdmin
)
Manage DLP subscriptions.
dlp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Subscription Viewer
(roles/ dlp.subscriptionsReader
)
View DLP subscriptions.
dlp.subscriptions.get
dlp.subscriptions.list
DLP Table Data Profiles Admin
(roles/ dlp.tableDataProfilesAdmin
)
Manage DLP table profiles.
dlp.tableDataProfiles.*
DLP Table Data Profiles Reader
(roles/ dlp.tableDataProfilesReader
)
Read DLP table profiles.
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP User
(roles/ dlp.user
)
Inspect, Redact, and De-identify Content
dlp.kms.encrypt
dlp.locations.*
serviceusage.services.use
Cloud Domains roles
Permissions
Cloud Domains Admin
(roles/ domains.admin
)
Full access to Cloud Domains Registrations and related resources.
domains.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Domains Viewer
(roles/ domains.viewer
)
Read-only access to Cloud Domains Registrations and related resources.
domains.locations.*
domains.operations.get
domains.operations.list
domains.registrations.get
domains. registrations. getIamPolicy
domains.registrations.list
domains. registrations. listEffectiveTags
domains. registrations. listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Filestore roles
Permissions
Cloud Filestore Editor
Beta
(roles/ file.editor
)
Read-write access to Filestore instances and related resources.
file.*
Cloud Filestore Viewer
Beta
(roles/ file.viewer
)
Read-only access to Filestore instances and related resources.
file.backups.get
file.backups.list
file.backups.listEffectiveTags
file.backups.listTagBindings
file.instances.get
file.instances.list
file. instances. listEffectiveTags
file.instances.listTagBindings
file.locations.*
file.operations.get
file.operations.list
file. snapshots. listEffectiveTags
file.snapshots.listTagBindings
Cloud Financial Services roles
Permissions
Financial Services Admin
(roles/ financialservices.admin
)
Full access to all Financial Services API resources.
financialservices.*
resourcemanager.projects.get
resourcemanager.projects.list
Financial Services Viewer
(roles/ financialservices.viewer
)
View access to all Financial Services API resources.
financialservices.locations.*
financialservices. operations. get
financialservices. operations. list
financialservices. v1backtests. exportMetadata
financialservices. v1backtests. get
financialservices. v1backtests. list
financialservices. v1datasets. get
financialservices. v1datasets. list
financialservices. v1engineconfigs. exportMetadata
financialservices. v1engineconfigs. get
financialservices. v1engineconfigs. list
financialservices. v1engineversions.*
financialservices. v1instances. exportRegisteredParties
financialservices. v1instances. get
financialservices. v1instances. list
financialservices. v1models. exportMetadata
financialservices.v1models.get
financialservices. v1models. list
financialservices. v1predictions. exportMetadata
financialservices. v1predictions. get
financialservices. v1predictions. list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Functions roles
Permissions
Cloud Functions Admin
(roles/ cloudfunctions.admin
)
Full access to functions, operations and locations.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.*
eventarc.*
recommender. cloudFunctionsPerformanceInsights.*
recommender. cloudFunctionsPerformanceRecommendations.*
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Functions Developer
(roles/ cloudfunctions.developer
)
Read and write access to all functions-related resources.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.functions.call
cloudfunctions. functions. create
cloudfunctions. functions. delete
cloudfunctions.functions.get
cloudfunctions. functions. invoke
cloudfunctions.functions.list
cloudfunctions. functions. sourceCodeGet
cloudfunctions. functions. sourceCodeSet
cloudfunctions. functions. update
cloudfunctions.locations.list
cloudfunctions.operations.*
eventarc. channelConnections. create
eventarc. channelConnections. delete
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc. channelConnections. publish
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.enrollments.update
eventarc. googleApiSources. create
eventarc. googleApiSources. delete
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleApiSources. update
eventarc. googleChannelConfigs.*
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
recommender. cloudFunctionsPerformanceInsights.*
recommender. cloudFunctionsPerformanceRecommendations.*
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Functions Invoker
(roles/ cloudfunctions.invoker
)
Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead.
cloudfunctions. functions. invoke
Cloud Functions Viewer
(roles/ cloudfunctions.viewer
)
Read-only access to functions and locations.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.functions.get
cloudfunctions. functions. getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleChannelConfigs. get
eventarc.locations.*
eventarc.messageBuses.get
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
recommender. cloudFunctionsPerformanceInsights. get
recommender. cloudFunctionsPerformanceInsights. list
recommender. cloudFunctionsPerformanceRecommendations. get
recommender. cloudFunctionsPerformanceRecommendations. list
recommender.locations.*
recommender. runServiceCostInsights. get
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. get
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. get
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. get
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. get
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. get
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. get
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. get
recommender. runServiceSecurityRecommendations. list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Healthcare roles
Permissions
Healthcare Annotation Editor
(roles/ healthcare.annotationEditor
)
Create, delete, update, read and list annotations.
healthcare. annotationStores. get
healthcare. annotationStores. list
healthcare.annotations.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Reader
(roles/ healthcare.annotationReader
)
Read and list annotations in an Annotation store.
healthcare. annotationStores. get
healthcare. annotationStores. list
healthcare.annotations.get
healthcare.annotations.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Administrator
(roles/ healthcare.annotationStoreAdmin
)
Administer Annotation stores.
healthcare.annotationStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Store Viewer
(roles/ healthcare.annotationStoreViewer
)
List Annotation Stores in a dataset.
healthcare. annotationStores. get
healthcare. annotationStores. list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Editor
(roles/ healthcare.attributeDefinitionEditor
)
Edit AttributeDefinition objects.
healthcare. attributeDefinitions.*
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Reader
(roles/ healthcare.attributeDefinitionReader
)
Read AttributeDefinition objects in a consent store.
healthcare. attributeDefinitions. get
healthcare. attributeDefinitions. list
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Administrator
(roles/ healthcare.consentArtifactAdmin
)
Administer ConsentArtifact objects.
healthcare.consentArtifacts.*
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Editor
(roles/ healthcare.consentArtifactEditor
)
Edit ConsentArtifact objects.
healthcare. consentArtifacts. create
healthcare. consentArtifacts. get
healthcare. consentArtifacts. list
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Reader
(roles/ healthcare.consentArtifactReader
)
Read ConsentArtifact objects in a consent store.
healthcare. consentArtifacts. get
healthcare. consentArtifacts. list
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Editor
(roles/ healthcare.consentEditor
)
Edit Consent objects.
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.consents.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Reader
(roles/ healthcare.consentReader
)
Read Consent objects in a consent store.
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.consents.get
healthcare.consents.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Administrator
(roles/ healthcare.consentStoreAdmin
)
Administer Consent stores.
healthcare.consentStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Viewer
(roles/ healthcare.consentStoreViewer
)
List Consent Stores in a dataset.
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Administrator
(roles/ healthcare.datasetAdmin
)
Administer Healthcare Datasets.
healthcare.datasets.*
healthcare.locations.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Viewer
(roles/ healthcare.datasetViewer
)
List the Healthcare Datasets in a project.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Editor
(roles/ healthcare.dicomEditor
)
Edit DICOM images individually and in bulk.
healthcare.datasets.get
healthcare.datasets.list
healthcare. dicomStores. dicomWebDelete
healthcare. dicomStores. dicomWebRead
healthcare. dicomStores. dicomWebWrite
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Administrator
(roles/ healthcare.dicomStoreAdmin
)
Administer DICOM stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare. dicomStores. deidentify
healthcare.dicomStores.delete
healthcare. dicomStores. dicomWebDelete
healthcare.dicomStores.get
healthcare. dicomStores. getIamPolicy
healthcare.dicomStores.list
healthcare. dicomStores. setIamPolicy
healthcare.dicomStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Viewer
(roles/ healthcare.dicomStoreViewer
)
List DICOM Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Viewer
(roles/ healthcare.dicomViewer
)
Retrieve DICOM images from a DICOM store.
healthcare.datasets.get
healthcare.datasets.list
healthcare. dicomStores. dicomWebRead
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Editor
(roles/ healthcare.fhirResourceEditor
)
Create, delete, update, read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare. fhirResources. create
healthcare. fhirResources. delete
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare. fhirResources. translateConceptMap
healthcare. fhirResources. update
healthcare. fhirStores. executeBundle
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare. fhirStores. searchResources
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Reader
(roles/ healthcare.fhirResourceReader
)
Read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare. fhirResources. translateConceptMap
healthcare. fhirStores. executeBundle
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare. fhirStores. searchResources
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Administrator
(roles/ healthcare.fhirStoreAdmin
)
Administer FHIR resource stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare. fhirStores. applyConsents
healthcare. fhirStores. configureSearch
healthcare.fhirStores.create
healthcare. fhirStores. deidentify
healthcare.fhirStores.delete
healthcare. fhirStores. deleteFhirOperation
healthcare. fhirStores. explainDataAccess
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare. fhirStores. getFhirOperation
healthcare. fhirStores. getIamPolicy
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.rollback
healthcare. fhirStores. setIamPolicy
healthcare.fhirStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Viewer
(roles/ healthcare.fhirStoreViewer
)
List FHIR Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Consumer
(roles/ healthcare.hl7V2Consumer
)
List and read HL7v2 messages, update message labels, and publish new messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare. hl7V2Messages. create
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare. hl7V2Messages. update
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Editor
(roles/ healthcare.hl7V2Editor
)
Read, write, and delete access to HL7v2 messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Ingest
(roles/ healthcare.hl7V2Ingest
)
Ingest HL7v2 messages received from a source network.
healthcare.datasets.get
healthcare.datasets.list
healthcare. hl7V2Messages. ingest
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Administrator
(roles/ healthcare.hl7V2StoreAdmin
)
Administer HL7v2 Stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Viewer
(roles/ healthcare.hl7V2StoreViewer
)
View HL7v2 Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare NLP Service Viewer
Beta
(roles/ healthcare.nlpServiceViewer
)
Extract and analyze medical entities from a given text.
healthcare.locations.*
healthcare. nlpservice. analyzeEntities
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Editor
(roles/ healthcare.userDataMappingEditor
)
Edit UserDataMapping objects.
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.userDataMappings.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Reader
(roles/ healthcare.userDataMappingReader
)
Read UserDataMapping objects in a consent store.
healthcare. consentStores. checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare. userDataMappings. get
healthcare. userDataMappings. list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IAP roles
Permissions
IAP Policy Admin
(roles/ iap.admin
)
Provides full access to Identity-Aware Proxy resources.
iap.tunnel.*
iap. tunnelDestGroups. getIamPolicy
iap. tunnelDestGroups. setIamPolicy
iap. tunnelInstances. getIamPolicy
iap. tunnelInstances. setIamPolicy
iap.tunnelLocations.*
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap. webServiceVersions. getIamPolicy
iap. webServiceVersions. setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
IAP-secured Web App User
(roles/ iap.httpsResourceAccessor
)
Provides permission to access HTTPS resources which use Identity-Aware Proxy.
iap. webServiceVersions. accessViaIAP
(roles/ iap.remediatorUser
)
Remediate IAP resource
iap.tunnelDestGroups.remediate
iap.tunnelinstances.remediate
iap. webServiceVersions. remediate
IAP Settings Admin
(roles/ iap.settingsAdmin
)
Administrator of IAP Settings.
iap.projects.*
iap.web.getSettings
iap.web.updateSettings
iap. webServiceVersions. getSettings
iap. webServiceVersions. updateSettings
iap.webServices.getSettings
iap.webServices.updateSettings
iap.webTypes.getSettings
iap.webTypes.updateSettings
IAP-secured Tunnel Destination Group Editor
(roles/ iap.tunnelDestGroupEditor
)
Edit Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
iap.tunnelDestGroups.update
IAP-secured Tunnel Destination Group Viewer
(roles/ iap.tunnelDestGroupViewer
)
View Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
IAP-secured Tunnel User
(roles/ iap.tunnelResourceAccessor
)
Access Tunnel resources which use Identity-Aware Proxy
iap. tunnelDestGroups. accessViaIAP
iap. tunnelInstances. accessViaIAP
Cloud IDS roles
Permissions
Cloud IDS Admin
Beta
(roles/ ids.admin
)
Full access to Cloud IDS all resources.
ids.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IDS Viewer
Beta
(roles/ ids.viewer
)
Read-only access to Cloud IDS all resources.
ids.endpoints.get
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.*
ids.operations.get
ids.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS roles
Permissions
Cloud KMS Admin
(roles/ cloudkms.admin
)
Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.
Lowest-level resources where you can grant this role:
cloudkms.autokeyConfigs.*
cloudkms. cryptoKeyVersions. create
cloudkms. cryptoKeyVersions. destroy
cloudkms.cryptoKeyVersions.get
cloudkms. cryptoKeyVersions. list
cloudkms. cryptoKeyVersions. restore
cloudkms. cryptoKeyVersions. update
cloudkms. cryptoKeyVersions. useToDecryptViaDelegation
cloudkms. cryptoKeyVersions. useToEncryptViaDelegation
cloudkms.cryptoKeys.*
cloudkms.ekmConfigs.*
cloudkms.ekmConnections.*
cloudkms.importJobs.*
cloudkms.keyHandles.*
cloudkms.keyRings.*
cloudkms.locations.get
cloudkms.locations.list
cloudkms. locations. optOutKeyDeletionMsa
cloudkms.operations.get
cloudkms. projects. showEffectiveAutokeyConfig
resourcemanager.projects.get
Cloud KMS Autokey Admin
(roles/ cloudkms.autokeyAdmin
)
Enables management of AutokeyConfig.
cloudkms.autokeyConfigs.*
cloudkms. projects. showEffectiveAutokeyConfig
Cloud KMS Autokey User
(roles/ cloudkms.autokeyUser
)
Grants ability to use KeyHandle resources.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms. projects. showEffectiveAutokeyConfig
Cloud KMS CryptoKey Decrypter
(roles/ cloudkms.cryptoKeyDecrypter
)
Provides ability to use Cloud KMS resources for decrypt operations
only.
Lowest-level resources where you can grant this role:
cloudkms. cryptoKeyVersions. useToDecrypt
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Decrypter Via Delegation
(roles/ cloudkms.cryptoKeyDecrypterViaDelegation
)
Enables Decrypt operations via other Google Cloud services
cloudkms. cryptoKeyVersions. useToDecryptViaDelegation
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter
(roles/ cloudkms.cryptoKeyEncrypter
)
Provides ability to use Cloud KMS resources for encrypt operations
only.
Lowest-level resources where you can grant this role:
cloudkms. cryptoKeyVersions. useToEncrypt
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter
(roles/ cloudkms.cryptoKeyEncrypterDecrypter
)
Provides ability to use Cloud KMS resources for encrypt and decrypt
operations only.
Lowest-level resources where you can grant this role:
cloudkms. cryptoKeyVersions. useToDecrypt
cloudkms. cryptoKeyVersions. useToEncrypt
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation
(roles/ cloudkms.cryptoKeyEncrypterDecrypterViaDelegation
)
Enables Encrypt and Decrypt operations via other Google Cloud services
cloudkms. cryptoKeyVersions. useToDecryptViaDelegation
cloudkms. cryptoKeyVersions. useToEncryptViaDelegation
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter Via Delegation
(roles/ cloudkms.cryptoKeyEncrypterViaDelegation
)
Enables Encrypt operations via other Google Cloud services
cloudkms. cryptoKeyVersions. useToEncryptViaDelegation
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Crypto Operator
(roles/ cloudkms.cryptoOperator
)
Enables all Crypto Operations.
cloudkms. cryptoKeyVersions. useToDecrypt
cloudkms. cryptoKeyVersions. useToEncrypt
cloudkms. cryptoKeyVersions. useToSign
cloudkms. cryptoKeyVersions. useToVerify
cloudkms. cryptoKeyVersions. viewPublicKey
cloudkms. locations. generateRandomBytes
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS EkmConnections Admin
(roles/ cloudkms.ekmConnectionsAdmin
)
Enables management of EkmConnections.
cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.update
cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.list
cloudkms.ekmConnections.update
cloudkms. ekmConnections. verifyConnectivity
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw AES-CBC Key Manager
(roles/ cloudkms.expertRawAesCbc
)
Enables raw AES-CBC keys management.
cloudkms. cryptoKeyVersions. manageRawAesCbcKeys
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw AES-CTR Key Manager
(roles/ cloudkms.expertRawAesCtr
)
Enables raw AES-CTR keys management.
cloudkms. cryptoKeyVersions. manageRawAesCtrKeys
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw PKCS#1 Key Manager
(roles/ cloudkms.expertRawPKCS1
)
Enables raw PKCS#1 keys management.
cloudkms. cryptoKeyVersions. manageRawPKCS1Keys
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Importer
(roles/ cloudkms.importer
)
Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations
cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms. importJobs. useToImport
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS Protected Resources Viewer
(roles/ cloudkms.protectedResourcesViewer
)
Enables viewing protected resources.
cloudkms. protectedResources. search
Cloud KMS CryptoKey Public Key Viewer
(roles/ cloudkms.publicKeyViewer
)
Enables GetPublicKey operations
cloudkms. cryptoKeyVersions. viewPublicKey
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Signer
(roles/ cloudkms.signer
)
Enables Sign operations
cloudkms. cryptoKeyVersions. useToSign
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Signer/Verifier
(roles/ cloudkms.signerVerifier
)
Enables Sign, Verify, and GetPublicKey operations
cloudkms. cryptoKeyVersions. useToSign
cloudkms. cryptoKeyVersions. useToVerify
cloudkms. cryptoKeyVersions. viewPublicKey
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Verifier
(roles/ cloudkms.verifier
)
Enables Verify and GetPublicKey operations
cloudkms. cryptoKeyVersions. useToVerify
cloudkms. cryptoKeyVersions. viewPublicKey
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS Viewer
(roles/ cloudkms.viewer
)
Enables Get and List operations.
cloudkms.autokeyConfigs.get
cloudkms.cryptoKeyVersions.get
cloudkms. cryptoKeyVersions. list
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.ekmConfigs.get
cloudkms.ekmConnections.get
cloudkms.ekmConnections.list
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.keyHandles.get
cloudkms.keyHandles.list
cloudkms.keyRings.get
cloudkms.keyRings.list
cloudkms.locations.get
cloudkms.locations.list
cloudkms.operations.get
resourcemanager.projects.get
Cloud Life Sciences roles
Permissions
Cloud Life Sciences Admin
Beta
(roles/ lifesciences.admin
)
Full control of Cloud Life Sciences resources.
lifesciences.*
Cloud Life Sciences Editor
Beta
(roles/ lifesciences.editor
)
Access to read and edit Cloud Life Sciences resources.
lifesciences.*
Cloud Life Sciences Viewer
Beta
(roles/ lifesciences.viewer
)
Access to read Cloud Life Sciences resources.
lifesciences.operations.get
lifesciences.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Life Sciences Workflows Runner
Beta
(roles/ lifesciences.workflowsRunner
)
Full access to operate on Cloud Life Sciences workflows.
lifesciences.*
Cloud Managed Identities roles
Permissions
Google Cloud Managed Identities Admin
(roles/ managedidentities.admin
)
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.
managedidentities.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Admin
(roles/ managedidentities.backupAdmin
)
Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level
managedidentities.backups.*
managedidentities.domains.get
managedidentities.locations.*
managedidentities.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Viewer
(roles/ managedidentities.backupViewer
)
Read-only access to Google Cloud Managed Identities Backup and related resources.
managedidentities.backups.get
managedidentities. backups. getIamPolicy
managedidentities.backups.list
managedidentities.domains.get
managedidentities.locations.*
managedidentities. operations. get
managedidentities. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Admin
(roles/ managedidentities.domainAdmin
)
Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.
managedidentities.backups.*
managedidentities. domains. attachTrust
managedidentities. domains. checkMigrationPermission
managedidentities. domains. createTagBinding
managedidentities. domains. delete
managedidentities. domains. deleteTagBinding
managedidentities. domains. detachTrust
managedidentities. domains. disableMigration
managedidentities. domains. domainJoinMachine
managedidentities. domains. enableMigration
managedidentities. domains. extendSchema
managedidentities.domains.get
managedidentities. domains. getIamPolicy
managedidentities. domains. listEffectiveTags
managedidentities. domains. listTagBindings
managedidentities. domains. reconfigureTrust
managedidentities. domains. resetpassword
managedidentities. domains. restore
managedidentities. domains. update
managedidentities. domains. updateLDAPSSettings
managedidentities. domains. validateTrust
managedidentities.locations.*
managedidentities. operations. get
managedidentities. operations. list
managedidentities. sqlintegrations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Join
Beta
(roles/ managedidentities.domainJoin
)
Access to domain join VMs with Cloud AD
managedidentities. domains. domainJoinMachine
managedidentities.domains.get
Google Cloud Managed Identities Peering Admin
(roles/ managedidentities.peeringAdmin
)
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level
managedidentities.locations.*
managedidentities.operations.*
managedidentities.peerings.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Peering Viewer
(roles/ managedidentities.peeringViewer
)
Read-only access to Google Cloud Managed Identities Peering and related resources.
managedidentities.locations.*
managedidentities. operations. get
managedidentities. operations. list
managedidentities.peerings.get
managedidentities. peerings. getIamPolicy
managedidentities. peerings. list
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Viewer
(roles/ managedidentities.viewer
)
Read-only access to Google Cloud Managed Identities Domains and related resources.
managedidentities.backups.get
managedidentities. backups. getIamPolicy
managedidentities.backups.list
managedidentities.domains.get
managedidentities. domains. getIamPolicy
managedidentities.domains.list
managedidentities. domains. listEffectiveTags
managedidentities. domains. listTagBindings
managedidentities.locations.*
managedidentities. operations. get
managedidentities. operations. list
managedidentities.peerings.get
managedidentities. peerings. getIamPolicy
managedidentities. peerings. list
managedidentities. sqlintegrations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Marketplace roles
Permissions
Commerce Business Enablement Configuration Admin
Beta
(roles/ commercebusinessenablement.admin
)
Admin of Various Provider Configuration resources
commercebusinessenablement. leadgenConfig.*
commercebusinessenablement. partnerAccounts.*
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. resellerConfig.*
commercebusinessenablement. resellerRestrictions.*
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/ commercebusinessenablement.paymentConfigAdmin
)
Administration of Payment Configuration resource
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. paymentConfig.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/ commercebusinessenablement.paymentConfigViewer
)
Viewer of Payment Configuration resource
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. paymentConfig. get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Rebates Admin
Beta
(roles/ commercebusinessenablement.rebatesAdmin
)
Provides admin access to rebates
commercebusinessenablement. operations.*
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. refunds.*
Commerce Business Enablement Rebates Viewer
Beta
(roles/ commercebusinessenablement.rebatesViewer
)
Provides read-only access to rebates
commercebusinessenablement. operations. get
commercebusinessenablement. operations. list
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. refunds. get
commercebusinessenablement. refunds. list
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/ commercebusinessenablement.resellerDiscountAdmin
)
Provides admin access to reseller discount offers
commercebusinessenablement. partnerAccounts.*
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. resellerConfig. get
commercebusinessenablement. resellerDiscountConfig. get
commercebusinessenablement. resellerDiscountOffers.*
commercebusinessenablement. resellerPrivateOfferPlans.*
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/ commercebusinessenablement.resellerDiscountViewer
)
Provides read-only access to reseller discount offers
commercebusinessenablement. partnerAccounts.*
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. resellerConfig. get
commercebusinessenablement. resellerDiscountConfig. get
commercebusinessenablement. resellerDiscountOffers. list
commercebusinessenablement. resellerPrivateOfferPlans. get
commercebusinessenablement. resellerPrivateOfferPlans. list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Configuration Viewer
Beta
(roles/ commercebusinessenablement.viewer
)
Viewer of Various Provider Configuration resource
commercebusinessenablement. leadgenConfig. get
commercebusinessenablement. partnerAccounts.*
commercebusinessenablement. partnerInfo. get
commercebusinessenablement. resellerConfig. get
commercebusinessenablement. resellerRestrictions. list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Offer Catalog Offers Viewer
Beta
(roles/ commerceoffercatalog.offersViewer
)
Allows viewing offers
commerceoffercatalog.*
Commerce Organization Governance Admin
Beta
(roles/ commerceorggovernance.admin
)
Full access to Organization Governance APIs
commerceorggovernance.*
consumerprocurement. entitlements.*
resourcemanager.projects.get
resourcemanager.projects.list
Governed Marketplace User
Beta
(roles/ commerceorggovernance.user
)
Full access to Governed Marketplace features.
commerceorggovernance. services.*
consumerprocurement. entitlements.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Organization Governance Viewer
Beta
(roles/ commerceorggovernance.viewer
)
Full access to Organization Governance read-only APIs.
commerceorggovernance. collections. get
commerceorggovernance. collections. list
commerceorggovernance. consumerSharingPolicies. get
commerceorggovernance. organizationSettings. get
commerceorggovernance. populateCollectionJobs. list
commerceorggovernance. services. get
commerceorggovernance. services. list
consumerprocurement. entitlements.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Events Viewer
Beta
(roles/ commercepricemanagement.eventsViewer
)
Allows viewing key events for an offer
commerceprice.events.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Private Offers Admin
Beta
(roles/ commercepricemanagement.privateOffersAdmin
)
Allows managing private offers
commerceagreementpublishing.*
commerceprice.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Price Management Viewer
Beta
(roles/ commercepricemanagement.viewer
)
Allows viewing offers, free trials, skus
commerceagreementpublishing. agreements. get
commerceagreementpublishing. agreements. list
commerceagreementpublishing. documents. get
commerceagreementpublishing. documents. list
commerceprice. privateoffers. get
commerceprice. privateoffers. list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Producer Admin
Beta
(roles/ commerceproducer.admin
)
Grants full access to all resources in Cloud Commerce Producer API.
commercebusinessenablement. partnerInfo. get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Producer Viewer
Beta
(roles/ commerceproducer.viewer
)
Grants read access to all resources in Cloud Commerce Producer API.
commercebusinessenablement. partnerInfo. get
resourcemanager.projects.get
resourcemanager.projects.list
Consumer Procurement Entitlement Manager
(roles/ consumerprocurement.entitlementManager
)
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
commerceoffercatalog. offers. get
consumerprocurement. consents. check
consumerprocurement. consents. grant
consumerprocurement. consents. list
consumerprocurement. consents. revoke
consumerprocurement. entitlements.*
consumerprocurement. freeTrials.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Entitlement Viewer
(roles/ consumerprocurement.entitlementViewer
)
Allows inspecting entitlements and service states for a consumer project.
commerceoffercatalog. offers. get
consumerprocurement. consents. check
consumerprocurement. consents. list
consumerprocurement. entitlements.*
consumerprocurement. freeTrials. get
consumerprocurement. freeTrials. list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Events Viewer
(roles/ consumerprocurement.eventsViewer
)
Allows viewing key events for an offer
consumerprocurement.events.*
Consumer Procurement License Pool Editor
(roles/ consumerprocurement.licensePoolEditor
)
Allows managing license pools and license assignments.
consumerprocurement. licensePools.*
Consumer Procurement License Pool Viewer
(roles/ consumerprocurement.licensePoolViewer
)
Allows viewing license pools and license assignments.
consumerprocurement. licensePools. enumerateLicensedUsers
consumerprocurement. licensePools. get
Consumer Procurement Order Administrator
(roles/ consumerprocurement.orderAdmin
)
Allows managing purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing. accounts. redeemPromotion
billing.credits.list
billing. resourceAssociations. create
commerceoffercatalog.*
consumerprocurement.accounts.*
consumerprocurement. consents. check
consumerprocurement. consents. grant
consumerprocurement. consents. list
consumerprocurement. consents. revoke
consumerprocurement.events.*
consumerprocurement. licensePools.*
consumerprocurement. orderAttributions.*
consumerprocurement.orders.*
Consumer Procurement Order Viewer
(roles/ consumerprocurement.orderViewer
)
Allows inspecting purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
consumerprocurement. accounts. get
consumerprocurement. accounts. list
consumerprocurement. consents. check
consumerprocurement. consents. list
consumerprocurement. licensePools. enumerateLicensedUsers
consumerprocurement. licensePools. get
consumerprocurement. orderAttributions. get
consumerprocurement. orderAttributions. list
consumerprocurement.orders.get
consumerprocurement. orders. list
Consumer Procurement Administrator
(roles/ consumerprocurement.procurementAdmin
)
Allows managing purchases, consents at both billing account and project level.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing. accounts. redeemPromotion
billing.credits.list
billing. resourceAssociations. create
commerceoffercatalog.*
consumerprocurement.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Viewer
(roles/ consumerprocurement.procurementViewer
)
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
consumerprocurement. accounts. get
consumerprocurement. accounts. list
consumerprocurement. consents. check
consumerprocurement. consents. list
consumerprocurement. entitlements.*
consumerprocurement. freeTrials. get
consumerprocurement. freeTrials. list
consumerprocurement. licensePools. enumerateLicensedUsers
consumerprocurement. licensePools. get
consumerprocurement. orderAttributions. get
consumerprocurement. orderAttributions. list
consumerprocurement.orders.get
consumerprocurement. orders. list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Migration roles
Permissions
Velostrata Manager
Beta
(roles/ cloudmigration.inframanager
)
Ability to create and manage Compute VMs to run Velostrata Infrastructure
cloudmigration. velostrataendpoints. connect
compute.addresses.create
compute. addresses. createInternal
compute.addresses.delete
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute. instances. getSerialPortOutput
compute.instances.list
compute.instances.reset
compute. instances. setDiskAutoDelete
compute.instances.setLabels
compute. instances. setMachineType
compute.instances.setMetadata
compute. instances. setMinCpuPlatform
compute. instances. setScheduling
compute. instances. setServiceAccount
compute.instances.setTags
compute.instances.start
compute. instances. startWithEncryptionKey
compute.instances.stop
compute.instances.update
compute. instances. updateNetworkInterface
compute. instances. updateShieldedInstanceConfig
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
compute.zones.*
gkehub.endpoints.connect
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
Velostrata Storage Access
Beta
(roles/ cloudmigration.storageaccess
)
Ability to access migration storage
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Velostrata Manager Connection Agent
Beta
(roles/ cloudmigration.velostrataconnect
)
Ability to set up connection between Velostrata Manager and Google
cloudmigration. velostrataendpoints. connect
gkehub.endpoints.connect
VM Migration Administrator
Beta
(roles/ vmmigration.admin
)
Ability to view and edit all VM Migration objects
resourcemanager.projects.get
resourcemanager.projects.list
vmmigration.*
VM Migration Viewer
Beta
(roles/ vmmigration.viewer
)
Ability to view all VM Migration objects
resourcemanager.projects.get
resourcemanager.projects.list
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration. datacenterConnectors. get
vmmigration. datacenterConnectors. list
vmmigration.deployments.get
vmmigration.deployments.list
vmmigration.groups.get
vmmigration.groups.list
vmmigration.locations.*
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.operations.get
vmmigration.operations.list
vmmigration. replicationCycles.*
vmmigration.sources.get
vmmigration.sources.list
vmmigration.targets.get
vmmigration.targets.list
vmmigration. utilizationReports. get
vmmigration. utilizationReports. list
Cloud Private Catalog roles
Permissions
Catalog Consumer
Beta
(roles/ cloudprivatecatalog.consumer
)
Can browse catalogs in the target resource context.
cloudprivatecatalog. targets. get
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Admin
Beta
(roles/ cloudprivatecatalogproducer.admin
)
Can manage catalog and view its associations.
cloudprivatecatalog. targets. get
cloudprivatecatalogproducer. associations.*
cloudprivatecatalogproducer. catalogAssociations.*
cloudprivatecatalogproducer. catalogs.*
cloudprivatecatalogproducer. producerCatalogs.*
cloudprivatecatalogproducer. products.*
cloudprivatecatalogproducer. targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Manager
Beta
(roles/ cloudprivatecatalogproducer.manager
)
Can manage associations between a catalog and a target resource.
cloudprivatecatalog. targets. get
cloudprivatecatalogproducer. associations.*
cloudprivatecatalogproducer. catalogAssociations.*
cloudprivatecatalogproducer. catalogs. get
cloudprivatecatalogproducer. catalogs. list
cloudprivatecatalogproducer. producerCatalogs. get
cloudprivatecatalogproducer. producerCatalogs. list
cloudprivatecatalogproducer. targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Org Admin
Beta
(roles/ cloudprivatecatalogproducer.orgAdmin
)
Can manage catalog org settings.
cloudprivatecatalog. targets. get
cloudprivatecatalogproducer.*
commerceorggovernance. organizationSettings.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Profiler roles
Permissions
Cloud Profiler Agent
(roles/ cloudprofiler.agent
)
Cloud Profiler agents are allowed to register and provide the profiling data.
cloudprofiler.profiles.create
cloudprofiler.profiles.update
Cloud Profiler User
(roles/ cloudprofiler.user
)
Cloud Profiler users are allowed to query and view the profiling data.
cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Run roles
Permissions
Cloud Run Admin
(roles/ run.admin
)
Full control over all Cloud Run resources.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
run.*
Cloud Run Builder
Beta
(roles/ run.builder
)
Can build Cloud Run functions and source deployed services.
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. uploadArtifacts
logging.logEntries.create
source.repos.get
storage.objects.get
Cloud Run Developer
(roles/ run.developer
)
Read and write access to all Cloud Run resources.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
Cloud Run Invoker
(roles/ run.invoker
)
Can invoke Cloud Run services and execute Cloud Run jobs.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
run.jobs.run
run.routes.invoke
Cloud Run Jobs Executor
(roles/ run.jobsExecutor
)
Can execute and cancel Cloud Run jobs.
run.executions.cancel
run.jobs.run
Cloud Run Jobs Executor With Overrides
(roles/ run.jobsExecutorWithOverrides
)
Can execute and cancel Cloud Run jobs with overrides.
run.executions.cancel
run.jobs.run
run.jobs.runWithOverrides
Cloud Run Service Invoker
(roles/ run.servicesInvoker
)
Can invoke Cloud Run services.
run.routes.invoke
Cloud Run Source Developer
Beta
(roles/ run.sourceDeveloper
)
Deploy and manage Cloud Run source deployed resources.
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
eventarc. channelConnections. create
eventarc. channelConnections. delete
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc. channelConnections. publish
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.enrollments.update
eventarc. googleApiSources. create
eventarc. googleApiSources. delete
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleApiSources. update
eventarc. googleChannelConfigs.*
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub. topics. detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.folders.create
storage.folders.get
storage.folders.list
storage.managedFolders.create
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.abort
storage. multipartUploads. create
storage. multipartUploads. listParts
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Run Source Viewer
Beta
(roles/ run.sourceViewer
)
View Cloud Run source deployed resources.
artifactregistry. repositories. get
artifactregistry. repositories. list
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleChannelConfigs. get
eventarc.locations.*
eventarc.messageBuses.get
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
recommender.locations.*
recommender. runServiceCostInsights. get
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. get
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. get
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. get
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. get
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. get
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. get
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. get
recommender. runServiceSecurityRecommendations. list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Cloud Run Viewer
(roles/ run.viewer
)
Can view the state of all Cloud Run resources, including IAM policies.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender. runServiceCostInsights. get
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. get
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. get
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. get
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. get
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. get
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. get
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. get
recommender. runServiceSecurityRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
Cloud Scheduler roles
Permissions
Cloud Scheduler Admin
(roles/ cloudscheduler.admin
)
Full access to jobs and executions.
Note that a Cloud Scheduler Admin (or any custom role with the permission
cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the
project.
appengine.applications.get
cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Job Runner
(roles/ cloudscheduler.jobRunner
)
Access to run jobs.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Viewer
(roles/ cloudscheduler.viewer
)
Get and list access to jobs, executions, and locations.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Security Scanner roles
Permissions
Web Security Scanner Editor
(roles/ cloudsecurityscanner.editor
)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/ cloudsecurityscanner.runner
)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/ cloudsecurityscanner.viewer
)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Services roles
Permissions
Service Broker Admin
(roles/ servicebroker.admin
)
Full access to ServiceBroker resources.
servicebroker.*
Service Broker Operator
(roles/ servicebroker.operator
)
Operational access to the ServiceBroker resources.
servicebroker. bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker. instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update
Cloud Spanner roles
Permissions
Cloud Spanner Admin
(roles/ spanner.admin
)
Has complete access to all Spanner
resources in a Google Cloud project. A principal with this role can:
Grant and revoke permissions to other principals for all Spanner resources in the project.
Allocate and delete chargeable Spanner resources.
Issue get/list/modify operations on Cloud Spanner resources.
Read from and write to all Cloud Spanner databases in the project.
Fetch project metadata.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
Cloud Spanner Backup Admin
(roles/ spanner.backupAdmin
)
A principal with this role can:
Create, view, update, and delete backups.
View and manage a backup's allow policy.
This role cannot restore a database from a backup.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backupOperations.*
spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backupSchedules.update
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner. instancePartitions. list
spanner. instances. createTagBinding
spanner. instances. deleteTagBinding
spanner.instances.get
spanner.instances.list
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
Cloud Spanner Backup Writer
(roles/ spanner.backupWriter
)
This role is intended to be used by scripts that automate backup creation.
A principal with this role can create backups, but cannot update or delete them.
Lowest-level resources where you can grant this role:
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.create
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backups.copy
spanner.backups.create
spanner.backups.get
spanner.backups.list
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.instances.get
Cloud Spanner Database Admin
(roles/ spanner.databaseAdmin
)
A principal with this role can:
Get/list all Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databaseRoles.*
spanner. databases. beginOrRollbackReadWriteTransaction
spanner. databases. beginPartitionedDmlTransaction
spanner. databases. beginReadOnlyTransaction
spanner.databases.changequorum
spanner.databases.create
spanner.databases.drop
spanner.databases.get
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.list
spanner. databases. partitionQuery
spanner. databases. partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.setIamPolicy
spanner.databases.update
spanner.databases.updateDdl
spanner.databases.updateTag
spanner.databases.useDataBoost
spanner. databases. useRoleBasedAccess
spanner.databases.write
spanner.instancePartitions.get
spanner. instancePartitions. list
spanner. instances. createTagBinding
spanner. instances. deleteTagBinding
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
spanner.sessions.*
Cloud Spanner Database Reader
(roles/ spanner.databaseReader
)
A principal with this role can:
Read from the Spanner database.
Execute SQL queries on the database.
View schema for the database.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner. databases. beginReadOnlyTransaction
spanner.databases.getDdl
spanner. databases. partitionQuery
spanner. databases. partitionRead
spanner.databases.read
spanner.databases.select
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Database Reader with DataBoost
(roles/ spanner.databaseReaderWithDataBoost
)
Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner. databases. beginReadOnlyTransaction
spanner.databases.getDdl
spanner. databases. partitionQuery
spanner. databases. partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.useDataBoost
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Database Role User
(roles/ spanner.databaseRoleUser
)
In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.
Lowest-level resources where you can grant this role:
spanner.databaseRoles.use
Cloud Spanner Database User
(roles/ spanner.databaseUser
)
A principal with this role can:
Read from and write to the Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner.databaseOperations.*
spanner. databases. beginOrRollbackReadWriteTransaction
spanner. databases. beginPartitionedDmlTransaction
spanner. databases. beginReadOnlyTransaction
spanner.databases.changequorum
spanner.databases.getDdl
spanner. databases. partitionQuery
spanner. databases. partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.updateTag
spanner.databases.write
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Fine-grained Access User
(roles/ spanner.fineGrainedAccessUser
)
Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.
Lowest-level resources where you can grant this role:
spanner.databaseRoles.list
spanner. databases. useRoleBasedAccess
Cloud Spanner Restore Admin
(roles/ spanner.restoreAdmin
)
A principal with this role can restore databases from backups.
If you need to restore a backup to a different instance, apply this
role at the project level or to both instances. This role cannot create backups.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backups.get
spanner.backups.list
spanner. backups. restoreDatabase
spanner.databaseOperations.*
spanner.databases.create
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner. instancePartitions. list
spanner. instances. createTagBinding
spanner. instances. deleteTagBinding
spanner.instances.get
spanner.instances.list
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
Cloud Spanner Viewer
(roles/ spanner.viewer
)
A principal with this role can:
View all Spanner instances (but cannot modify instances).
View all Spanner databases (but cannot modify or read from databases).
For example, you can combine this role with the roles/spanner.databaseUser
role to
grant a user with access to a specific database, but only view access to other instances and
databases.
This role is recommended at the Google Cloud project level for users interacting with Cloud
Spanner resources in the Google Cloud console.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instancePartitions.get
spanner. instancePartitions. list
spanner.instances.get
spanner.instances.list
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
Cloud SQL roles
Permissions
Cloud SQL Admin
(roles/ cloudsql.admin
)
Provides full control of Cloud SQL resources.
Lowest-level resources where you can grant this role:
cloudaicompanion.companions.*
cloudaicompanion. entitlements. get
cloudaicompanion. instances. completeCode
cloudaicompanion. instances. generateCode
cloudsql.*
recommender. cloudsqlIdleInstanceRecommendations.*
recommender. cloudsqlInstanceActivityInsights.*
recommender. cloudsqlInstanceCpuUsageInsights.*
recommender. cloudsqlInstanceDiskUsageTrendInsights.*
recommender. cloudsqlInstanceMemoryUsageInsights.*
recommender. cloudsqlInstanceOomProbabilityInsights.*
recommender. cloudsqlInstanceOutOfDiskRecommendations.*
recommender. cloudsqlInstancePerformanceInsights.*
recommender. cloudsqlInstancePerformanceRecommendations.*
recommender. cloudsqlInstanceReliabilityInsights.*
recommender. cloudsqlInstanceReliabilityRecommendations.*
recommender. cloudsqlInstanceSecurityInsights.*
recommender. cloudsqlInstanceSecurityRecommendations.*
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights.*
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*
recommender. cloudsqlOverprovisionedInstanceRecommendations.*
recommender. cloudsqlUnderProvisionedInstanceRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud SQL Client
(roles/ cloudsql.client
)
Provides connectivity access to Cloud SQL instances.
Lowest-level resources where you can grant this role:
cloudsql.instances.connect
cloudsql.instances.get
Cloud SQL Editor
(roles/ cloudsql.editor
)
Provides full control of existing Cloud SQL instances excluding
modifying users, SSL certificates or deleting resources.
Lowest-level resources where you can grant this role:
cloudaicompanion. entitlements. get
cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql. instances. addServerCertificate
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql. instances. getDiskShrinkConfig
cloudsql.instances.list
cloudsql. instances. listEffectiveTags
cloudsql. instances. listServerCas
cloudsql. instances. listServerCertificates
cloudsql. instances. listTagBindings
cloudsql.instances.migrate
cloudsql. instances. performDiskShrink
cloudsql.instances.reencrypt
cloudsql. instances. resetReplicaSize
cloudsql.instances.restart
cloudsql. instances. rotateServerCa
cloudsql. instances. rotateServerCertificate
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.schemas.view
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.get
cloudsql.users.list
recommender. cloudsqlIdleInstanceRecommendations.*
recommender. cloudsqlInstanceActivityInsights.*
recommender. cloudsqlInstanceCpuUsageInsights.*
recommender. cloudsqlInstanceDiskUsageTrendInsights.*
recommender. cloudsqlInstanceMemoryUsageInsights.*
recommender. cloudsqlInstanceOomProbabilityInsights.*
recommender. cloudsqlInstanceOutOfDiskRecommendations.*
recommender. cloudsqlInstancePerformanceInsights.*
recommender. cloudsqlInstancePerformanceRecommendations.*
recommender. cloudsqlInstanceReliabilityInsights.*
recommender. cloudsqlInstanceReliabilityRecommendations.*
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights.*
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*
recommender. cloudsqlOverprovisionedInstanceRecommendations.*
recommender. cloudsqlUnderProvisionedInstanceRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud SQL Instance User
(roles/ cloudsql.instanceUser
)
Role allowing access to a Cloud SQL instance
cloudsql.instances.get
cloudsql.instances.login
Cloud SQL Schema Viewer
(roles/ cloudsql.schemaViewer
)
Role allowing access to the Cloud SQL instance schema on Dataplex
cloudsql.schemas.view
Cloud SQL Studio User
(roles/ cloudsql.studioUser
)
Role allowing access to Cloud SQL Studio
cloudaicompanion.companions.*
cloudaicompanion. instances. completeCode
cloudaicompanion. instances. generateCode
cloudsql.databases.list
cloudsql.instances.executeSql
cloudsql.instances.get
cloudsql.instances.login
cloudsql.users.list
Cloud SQL Viewer
(roles/ cloudsql.viewer
)
Provides read-only access to Cloud SQL resources.
Lowest-level resources where you can grant this role:
cloudaicompanion. entitlements. get
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql. instances. getDiskShrinkConfig
cloudsql.instances.list
cloudsql. instances. listEffectiveTags
cloudsql. instances. listServerCas
cloudsql. instances. listServerCertificates
cloudsql. instances. listTagBindings
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.get
cloudsql.users.list
recommender. cloudsqlIdleInstanceRecommendations. get
recommender. cloudsqlIdleInstanceRecommendations. list
recommender. cloudsqlInstanceActivityInsights. get
recommender. cloudsqlInstanceActivityInsights. list
recommender. cloudsqlInstanceCpuUsageInsights. get
recommender. cloudsqlInstanceCpuUsageInsights. list
recommender. cloudsqlInstanceDiskUsageTrendInsights. get
recommender. cloudsqlInstanceDiskUsageTrendInsights. list
recommender. cloudsqlInstanceMemoryUsageInsights. get
recommender. cloudsqlInstanceMemoryUsageInsights. list
recommender. cloudsqlInstanceOomProbabilityInsights. get
recommender. cloudsqlInstanceOomProbabilityInsights. list
recommender. cloudsqlInstanceOutOfDiskRecommendations. get
recommender. cloudsqlInstanceOutOfDiskRecommendations. list
recommender. cloudsqlInstancePerformanceInsights. get
recommender. cloudsqlInstancePerformanceInsights. list
recommender. cloudsqlInstancePerformanceRecommendations. get
recommender. cloudsqlInstancePerformanceRecommendations. list
recommender. cloudsqlInstanceReliabilityInsights. get
recommender. cloudsqlInstanceReliabilityInsights. list
recommender. cloudsqlInstanceReliabilityRecommendations. get
recommender. cloudsqlInstanceReliabilityRecommendations. list
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. get
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. list
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. get
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. list
recommender. cloudsqlOverprovisionedInstanceRecommendations. get
recommender. cloudsqlOverprovisionedInstanceRecommendations. list
recommender. cloudsqlUnderProvisionedInstanceRecommendations. get
recommender. cloudsqlUnderProvisionedInstanceRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Storage roles
Permissions
Storage Admin
(roles/ storage.admin
)
Grants full control of objects and buckets.
When applied to an individual bucket , control applies only to
the specified bucket and objects within the bucket.
Lowest-level resources where you can grant this role:
firebase.projects.get
orgpolicy.policy.get
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Storage Folder Admin
(roles/ storage.folderAdmin
)
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Storage HMAC Key Admin
(roles/ storage.hmacKeyAdmin
)
Full control of Cloud Storage HMAC keys.
firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*
Storage Insights Collector Service
(roles/ storage.insightsCollectorService
)
Read-only access to Cloud Storage Inventory metadata for Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage. buckets. getObjectInsights
Storage Object Admin
(roles/ storage.objectAdmin
)
Grants full control of objects, including listing, creating, viewing,
and deleting objects.
Lowest-level resources where you can grant this role:
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Storage Object Creator
(roles/ storage.objectCreator
)
Allows users to create objects. Does not give permission to view,
delete, or overwrite objects.
Lowest-level resources where you can grant this role:
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.create
storage.managedFolders.create
storage.multipartUploads.abort
storage. multipartUploads. create
storage. multipartUploads. listParts
storage.objects.create
Storage Object User
(roles/ storage.objectUser
)
Access to create, read, update and delete objects and multipart uploads in GCS.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.restore
storage.objects.update
Storage Object Viewer
(roles/ storage.objectViewer
)
Grants access to view objects and their metadata, excluding ACLs. Can
also list the objects in a bucket.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Storage Transfer Admin
(roles/ storagetransfer.admin
)
Create, update and manage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*
Storage Transfer Agent
(roles/ storagetransfer.transferAgent
)
Perform transfers from an agent.
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
storagetransfer. agentpools. report
storagetransfer. operations. assign
storagetransfer.operations.get
storagetransfer. operations. report
Storage Transfer User
(roles/ storagetransfer.user
)
Create and update storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer. agentpools. create
storagetransfer.agentpools.get
storagetransfer. agentpools. list
storagetransfer. agentpools. report
storagetransfer. agentpools. update
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.run
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer. projects. getServiceAccount
Storage Transfer Viewer
(roles/ storagetransfer.viewer
)
Read access to storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.agentpools.get
storagetransfer. agentpools. list
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer. operations. list
storagetransfer. projects. getServiceAccount
Cloud Storage Legacy roles
Permissions
Storage Legacy Bucket Owner
(roles/ storage.legacyBucketOwner
)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read and edit bucket metadata, including allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.anywhereCaches.*
storage.bucketOperations.*
storage. buckets. createTagBinding
storage. buckets. deleteTagBinding
storage. buckets. enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage. buckets. listEffectiveTags
storage. buckets. listTagBindings
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.folders.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Bucket Reader
(roles/ storage.legacyBucketReader
)
Grants permission to list a bucket's contents and read bucket metadata,
excluding allow policies. Also grants permission to read object metadata,
excluding allow policies, when listing objects.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.buckets.get
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.list
Storage Legacy Bucket Writer
(roles/ storage.legacyBucketWriter
)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read bucket metadata, excluding allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.buckets.get
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Object Owner
(roles/ storage.legacyObjectOwner
)
Grants permission to view and edit objects and their metadata, including
ACLs.
Lowest-level resources where you can grant this role:
storage.objects.get
storage.objects.getIamPolicy
storage. objects. overrideUnlockedRetention
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
Storage Legacy Object Reader
(roles/ storage.legacyObjectReader
)
Grants permission to view objects and their metadata, excluding ACLs.
Lowest-level resources where you can grant this role:
storage.objects.get
Cloud Talent Solution roles
Permissions
Cloud Talent Solution Admin
(roles/ cloudjobdiscovery.admin
)
Access to Cloud Talent Solution Self-Service Tools.
cloudjobdiscovery.tools.access
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Job Editor
(roles/ cloudjobdiscovery.jobsEditor
)
Write access to all job data in Cloud Talent Solution.
cloudjobdiscovery.companies.*
cloudjobdiscovery. events. create
cloudjobdiscovery.jobs.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Job Viewer
(roles/ cloudjobdiscovery.jobsViewer
)
Read access to all job data in Cloud Talent Solution.
cloudjobdiscovery. companies. get
cloudjobdiscovery. companies. list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Profile Editor
(roles/ cloudjobdiscovery.profilesEditor
)
Write access to all profile data in Cloud Talent Solution.
cloudjobdiscovery. events. create
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Profile Viewer
(roles/ cloudjobdiscovery.profilesViewer
)
Read access to all profile data in Cloud Talent Solution.
cloudjobdiscovery.profiles.get
cloudjobdiscovery. profiles. search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks roles
Permissions
Cloud Tasks Admin
Beta
(roles/ cloudtasks.admin
)
Full access to queues and tasks.
cloudtasks.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Enqueuer
Beta
(roles/ cloudtasks.enqueuer
)
Access to create tasks.
cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Queue Admin
Beta
(roles/ cloudtasks.queueAdmin
)
Admin access to queues.
cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Deleter
Beta
(roles/ cloudtasks.taskDeleter
)
Access to delete tasks.
cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Runner
Beta
(roles/ cloudtasks.taskRunner
)
Access to run tasks.
cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Viewer
Beta
(roles/ cloudtasks.viewer
)
Get and list access to tasks, queues, and locations.
cloudtasks.cmekConfig.get
cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud TPU roles
Permissions
TPU Admin
(roles/ tpu.admin
)
Full access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.*
TPU Viewer
(roles/ tpu.viewer
)
Read-only access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.runtimeversions.*
tpu.tensorflowversions.*
TPU Shared VPC Agent
(roles/ tpu.xpnAgent
)
Can use shared VPC network (XPN) for the TPU VMs.
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.globalOperations.get
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
Cloud Trace roles
Permissions
Cloud Trace Admin
(roles/ cloudtrace.admin
)
Provides full access to the Trace console and read-write access to traces.
Lowest-level resources where you can grant this role:
cloudtrace.*
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Trace Agent
(roles/ cloudtrace.agent
)
For service accounts. Provides ability to write traces by sending the data
to Stackdriver Trace.
Lowest-level resources where you can grant this role:
cloudtrace.traces.patch
Cloud Trace User
(roles/ cloudtrace.user
)
Provides full access to the Trace console and read access to traces.
Lowest-level resources where you can grant this role:
cloudtrace.insights.*
cloudtrace.stats.get
cloudtrace.tasks.*
cloudtrace.traceScopes.*
cloudtrace.traces.get
cloudtrace.traces.list
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation roles
Permissions
Cloud Translation API Admin
(roles/ cloudtranslate.admin
)
Full access to all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Editor
(roles/ cloudtranslate.editor
)
Editor of all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API User
(roles/ cloudtranslate.user
)
User of Cloud Translation and AutoML models
automl.models.get
automl.models.predict
cloudtranslate. adaptiveMtDatasets. get
cloudtranslate. adaptiveMtDatasets. list
cloudtranslate. adaptiveMtDatasets. predict
cloudtranslate. adaptiveMtFiles. get
cloudtranslate. adaptiveMtFiles. list
cloudtranslate. adaptiveMtSentences. list
cloudtranslate. customModels. get
cloudtranslate. customModels. list
cloudtranslate. customModels. predict
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate.generalModels.*
cloudtranslate. glossaries. batchDocPredict
cloudtranslate. glossaries. batchPredict
cloudtranslate. glossaries. docPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate. glossaries. predict
cloudtranslate. glossaryentries. get
cloudtranslate. glossaryentries. list
cloudtranslate. languageDetectionModels. predict
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Viewer
(roles/ cloudtranslate.viewer
)
Viewer of all Translation resources
automl.models.get
cloudtranslate. adaptiveMtDatasets. get
cloudtranslate. adaptiveMtDatasets. list
cloudtranslate. adaptiveMtFiles. get
cloudtranslate. adaptiveMtFiles. list
cloudtranslate. adaptiveMtSentences. list
cloudtranslate. customModels. get
cloudtranslate. customModels. list
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate. generalModels. get
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate. glossaryentries. get
cloudtranslate. glossaryentries. list
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Workstations roles
Permissions
Cloud Workstations Admin
(roles/ workstations.admin
)
Grants CRUD access to all Workstation resources.
compute.acceleratorTypes.*
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations. workstationClusters.*
workstations. workstationConfigs.*
workstations. workstations. create
workstations. workstations. delete
workstations.workstations.get
workstations. workstations. getIamPolicy
workstations.workstations.list
workstations. workstations. setIamPolicy
workstations. workstations. start
workstations.workstations.stop
workstations. workstations. update
Cloud Workstations Network Admin
(roles/ workstations.networkAdmin
)
Grants ability to connect a Workstation Cluster to a shared VPC network.
compute.addresses.create
compute. addresses. createInternal
compute.addresses.delete
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute. forwardingRules. pscCreate
compute. forwardingRules. pscDelete
compute.globalOperations.get
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
Cloud Workstations Operation Viewer
(roles/ workstations.operationViewer
)
Grants ability to view Cloud Workstations API operations.
workstations.operations.get
Cloud Workstations User
(roles/ workstations.user
)
Grants runtime access to Workstation resources.
workstations.operations.get
workstations. workstations. delete
workstations.workstations.get
workstations. workstations. start
workstations.workstations.stop
workstations. workstations. update
workstations.workstations.use
Cloud Workstations Creator
(roles/ workstations.workstationCreator
)
Grants ability to create Workstation resources.
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations. workstationClusters. get
workstations. workstationClusters. list
workstations. workstationConfigs. get
workstations. workstations. create
Compute Engine roles
Permissions
Compute Admin
(roles/ compute.admin
)
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser
role.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Node group
Node template
Snapshot
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Future Reservation Admin
Beta
(roles/ compute.futureReservationAdmin
)
compute.acceleratorTypes.list
compute. futureReservations. cancel
compute. futureReservations. create
compute. futureReservations. delete
compute.futureReservations.get
compute. futureReservations. list
compute. futureReservations. update
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.reservations.create
compute.zones.list
Compute Future Reservation User
Beta
(roles/ compute.futureReservationUser
)
compute.acceleratorTypes.list
compute. futureReservations. create
compute. futureReservations. delete
compute.futureReservations.get
compute. futureReservations. list
compute. futureReservations. update
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.reservations.create
compute.zones.list
Compute Future Reservation Viewer
Beta
(roles/ compute.futureReservationViewer
)
compute.acceleratorTypes.list
compute.futureReservations.get
compute. futureReservations. list
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.zones.list
Compute Image User
(roles/ compute.imageUser
)
Permission to list and read images without having other permissions on the image. Granting this role
at the project level gives users the ability to list all images in the project and create resources,
such as instances and persistent disks, based on images in the project.
Lowest-level resources where you can grant this role:
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (beta)
(roles/ compute.instanceAdmin
)
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VM
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser
role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Snapshot
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute. disks. startAsyncReplication
compute. disks. stopAsyncReplication
compute. disks. stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute.globalAddresses.use
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute. networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute. regionNetworkEndpointGroups.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.list
compute. resourcePolicies. useReadOnly
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (v1)
(roles/ compute.instanceAdmin.v1
)
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances.
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.diskTypes.*
compute.disks.*
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute.globalAddresses.use
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute.regionOperations.list
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Load Balancer Admin
(roles/ compute.loadBalancerAdmin
)
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant this role to the load
balancing team's group.
Lowest-level resources where you can grant this role:
certificatemanager. certmaps. get
certificatemanager. certmaps. list
certificatemanager. certmaps. use
compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute. globalForwardingRules.*
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute. images. listEffectiveTags
compute.images.listTagBindings
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listTagBindings
compute.instances.use
compute.instances.useReadOnly
compute. networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.use
compute.projects.get
compute. regionBackendServices.*
compute. regionHealthCheckServices.*
compute.regionHealthChecks.*
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSecurityPolicies. use
compute. regionSslCertificates.*
compute.regionSslPolicies.*
compute. regionTargetHttpProxies.*
compute. regionTargetHttpsProxies.*
compute. regionTargetTcpProxies.*
compute.regionUrlMaps.*
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.securityPolicies.use
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
compute.zoneOperations.get
compute.zoneOperations.list
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. list
networksecurity. clientTlsPolicies. use
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. list
networksecurity. serverTlsPolicies. use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Load Balancer Services User
(roles/ compute.loadBalancerServiceUser
)
Permissions to use services from a load balancer in other projects.
compute.backendBuckets.get
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendBuckets.use
compute.backendServices.get
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.backendServices.use
compute.projects.get
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionBackendServices. use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Admin
(roles/ compute.networkAdmin
)
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
roles/compute.securityAdmin
role to the combined team's group.
Lowest-level resources where you can grant this role:
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute. globalForwardingRules.*
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute. globalNetworkEndpointGroups. use
compute.globalOperations.get
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. delete
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute. globalPublicDelegatedPrefixes. updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute. instanceGroupManagers. update
compute. instanceGroupManagers. use
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceSettings.get
compute.instances.get
compute. instances. getGuestAttributes
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute. instances. updateSecurity
compute.instances.use
compute.instances.useReadOnly
compute. interconnectAttachments.*
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.*
compute.machineTypes.*
compute.networkAttachments.*
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute. networkEndpointGroups. use
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicDelegatedPrefixes. delete
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. publicDelegatedPrefixes. update
compute. publicDelegatedPrefixes. updatePolicy
compute. regionBackendServices.*
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionFirewallPolicies. use
compute. regionHealthCheckServices.*
compute.regionHealthChecks.*
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNetworkEndpointGroups. use
compute. regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSecurityPolicies. use
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.*
compute. regionTargetHttpProxies.*
compute. regionTargetHttpsProxies.*
compute. regionTargetTcpProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.securityPolicies.use
compute.serviceAttachments.*
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
networkconnectivity. internalRanges.*
networkconnectivity. locations.*
networkconnectivity. operations.*
networkconnectivity. policyBasedRoutes.*
networkconnectivity. regionalEndpoints.*
networkconnectivity. serviceClasses.*
networkconnectivity. serviceConnectionMaps.*
networkconnectivity. serviceConnectionPolicies.*
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups.*
networksecurity. authorizationPolicies.*
networksecurity. authzPolicies.*
networksecurity. clientTlsPolicies.*
networksecurity. firewallEndpointAssociations.*
networksecurity. firewallEndpoints.*
networksecurity. gatewaySecurityPolicies.*
networksecurity. gatewaySecurityPolicyRules.*
networksecurity.locations.*
networksecurity.operations.*
networksecurity. securityProfileGroups.*
networksecurity. securityProfiles.*
networksecurity. serverTlsPolicies.*
networksecurity. tlsInspectionPolicies.*
networksecurity.urlLists.*
networkservices.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
servicenetworking. operations. get
servicenetworking. services. addPeering
servicenetworking. services. createPeeredDnsDomain
servicenetworking. services. deleteConnection
servicenetworking. services. deletePeeredDnsDomain
servicenetworking. services. disableVpcServiceControls
servicenetworking. services. enableVpcServiceControls
servicenetworking.services.get
servicenetworking. services. listPeeredDnsDomains
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Compute Network User
(roles/ compute.networkUser
)
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
Lowest-level resources where you can grant this role:
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.useInternal
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute. externalVpnGateways. use
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.instanceSettings.get
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.interconnects.use
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute.networkProfiles.*
compute.networks.access
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zones.*
networkconnectivity. internalRanges. get
networkconnectivity. internalRanges. list
networkconnectivity. locations.*
networkconnectivity. operations. get
networkconnectivity. operations. list
networkconnectivity. policyBasedRoutes. get
networkconnectivity. policyBasedRoutes. list
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups. get
networksecurity. addressGroups. list
networksecurity. addressGroups. use
networksecurity. authorizationPolicies. get
networksecurity. authorizationPolicies. list
networksecurity. authorizationPolicies. use
networksecurity. authzPolicies. get
networksecurity. authzPolicies. list
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. list
networksecurity. clientTlsPolicies. use
networksecurity. firewallEndpointAssociations. get
networksecurity. firewallEndpointAssociations. list
networksecurity. firewallEndpoints. get
networksecurity. firewallEndpoints. list
networksecurity. firewallEndpoints. use
networksecurity. gatewaySecurityPolicies. get
networksecurity. gatewaySecurityPolicies. list
networksecurity. gatewaySecurityPolicies. use
networksecurity. gatewaySecurityPolicyRules. get
networksecurity. gatewaySecurityPolicyRules. list
networksecurity. gatewaySecurityPolicyRules. use
networksecurity.locations.*
networksecurity.operations.get
networksecurity. operations. list
networksecurity. securityProfileGroups. get
networksecurity. securityProfileGroups. list
networksecurity. securityProfileGroups. use
networksecurity. securityProfiles. get
networksecurity. securityProfiles. list
networksecurity. securityProfiles. use
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. list
networksecurity. serverTlsPolicies. use
networksecurity. tlsInspectionPolicies. get
networksecurity. tlsInspectionPolicies. list
networksecurity. tlsInspectionPolicies. use
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.use
networkservices. authzExtensions. get
networkservices. authzExtensions. list
networkservices. authzExtensions. use
networkservices. endpointPolicies. get
networkservices. endpointPolicies. list
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.use
networkservices.grpcRoutes.get
networkservices. grpcRoutes. list
networkservices. httpFilters. get
networkservices. httpFilters. list
networkservices.httpRoutes.get
networkservices. httpRoutes. list
networkservices. httpfilters. get
networkservices. httpfilters. list
networkservices. httpfilters. use
networkservices. lbRouteExtensions. get
networkservices. lbRouteExtensions. list
networkservices. lbTrafficExtensions. get
networkservices. lbTrafficExtensions. list
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.use
networkservices.operations.get
networkservices. operations. list
networkservices.route_views.*
networkservices. serviceBindings. get
networkservices. serviceBindings. list
networkservices. serviceLbPolicies. get
networkservices. serviceLbPolicies. list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices. wasmPlugins. get
networkservices. wasmPlugins. list
networkservices. wasmPlugins. use
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Viewer
(roles/ compute.networkViewer
)
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant this role to that software's
service account.
Lowest-level resources where you can grant this role:
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instances.get
compute. instances. getGuestAttributes
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.machineTypes.*
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zones.*
networkconnectivity. internalRanges. get
networkconnectivity. internalRanges. list
networkconnectivity. locations.*
networkconnectivity. operations. get
networkconnectivity. operations. list
networkconnectivity. policyBasedRoutes. get
networkconnectivity. policyBasedRoutes. list
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups. get
networksecurity. addressGroups. list
networksecurity. authorizationPolicies. get
networksecurity. authorizationPolicies. list
networksecurity. authzPolicies. get
networksecurity. authzPolicies. list
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. list
networksecurity. firewallEndpointAssociations. get
networksecurity. firewallEndpointAssociations. list
networksecurity. firewallEndpoints. get
networksecurity. firewallEndpoints. list
networksecurity. gatewaySecurityPolicies. get
networksecurity. gatewaySecurityPolicies. list
networksecurity. gatewaySecurityPolicyRules. get
networksecurity. gatewaySecurityPolicyRules. list
networksecurity.locations.*
networksecurity.operations.get
networksecurity. operations. list
networksecurity. securityProfileGroups. get
networksecurity. securityProfileGroups. list
networksecurity. securityProfiles. get
networksecurity. securityProfiles. list
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. list
networksecurity. tlsInspectionPolicies. get
networksecurity. tlsInspectionPolicies. list
networksecurity.urlLists.get
networksecurity.urlLists.list
networkservices. authzExtensions. get
networkservices. authzExtensions. list
networkservices. endpointPolicies. get
networkservices. endpointPolicies. list
networkservices.gateways.get
networkservices.gateways.list
networkservices.grpcRoutes.get
networkservices. grpcRoutes. list
networkservices. httpFilters. get
networkservices. httpFilters. list
networkservices.httpRoutes.get
networkservices. httpRoutes. list
networkservices. httpfilters. get
networkservices. httpfilters. list
networkservices. lbRouteExtensions. get
networkservices. lbRouteExtensions. list
networkservices. lbTrafficExtensions. get
networkservices. lbTrafficExtensions. list
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.operations.get
networkservices. operations. list
networkservices.route_views.*
networkservices. serviceBindings. get
networkservices. serviceBindings. list
networkservices. serviceLbPolicies. get
networkservices. serviceLbPolicies. list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices. wasmPlugins. get
networkservices. wasmPlugins. list
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Compute Organization Firewall Policy Admin
(roles/ compute.orgFirewallPolicyAdmin
)
Full control of Compute Engine Organization Firewall Policies.
compute.firewallPolicies.*
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalOperations. setIamPolicy
compute.projects.get
compute. regionFirewallPolicies.*
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionOperations. setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Firewall Policy User
(roles/ compute.orgFirewallPolicyUser
)
View or use Compute Engine Firewall Policies to associate with the organization or folders.
compute.firewallPolicies.get
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewallPolicies.use
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute.projects.get
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionFirewallPolicies. use
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy Admin
(roles/ compute.orgSecurityPolicyAdmin
)
Full control of Compute Engine Organization Security Policies.
compute.firewallPolicies.*
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalOperations. setIamPolicy
compute.projects.get
compute. securityPolicies. addAssociation
compute. securityPolicies. copyRules
compute. securityPolicies. create
compute. securityPolicies. createTagBinding
compute. securityPolicies. delete
compute. securityPolicies. deleteTagBinding
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.securityPolicies.move
compute. securityPolicies. removeAssociation
compute. securityPolicies. update
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy User
(roles/ compute.orgSecurityPolicyUser
)
View or use Compute Engine Security Policies to associate with the organization or folders.
compute.firewallPolicies.get
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewallPolicies.use
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalOperations. setIamPolicy
compute.projects.get
compute. securityPolicies. addAssociation
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute. securityPolicies. removeAssociation
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Resource Admin
(roles/ compute.orgSecurityResourceAdmin
)
Full control of Compute Engine Firewall Policy associations to the organization or folders.
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalOperations. setIamPolicy
compute. organizations. listAssociations
compute. organizations. setFirewallPolicy
compute. organizations. setSecurityPolicy
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Admin Login
(roles/ compute.osAdminLogin
)
Access to log in to a Compute Engine instance as an administrator
user.
Lowest-level resources where you can grant this role:
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. images. listEffectiveTags
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login
(roles/ compute.osLogin
)
Access to log in to a Compute Engine instance as a standard user.
Lowest-level resources where you can grant this role:
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. images. listEffectiveTags
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listTagBindings
compute.instances.osLogin
compute.projects.get
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login External User
(roles/ compute.osLoginExternalUser
)
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
Lowest-level resources where you can grant this role:
compute. oslogin. updateExternalUser
Compute packet mirroring admin
(roles/ compute.packetMirroringAdmin
)
Specify resources to be mirrored.
compute. instances. updateSecurity
compute.networks.mirror
compute.projects.get
compute.subnetworks.mirror
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute packet mirroring user
(roles/ compute.packetMirroringUser
)
Use Compute Engine packet mirrorings.
compute.packetMirrorings.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Public IP Admin
(roles/ compute.publicIpAdmin
)
Full control of public IP address management for Compute Engine.
compute.addresses.*
compute.globalAddresses.*
compute. globalPublicDelegatedPrefixes.*
compute. publicAdvertisedPrefixes.*
compute. publicDelegatedPrefixes.*
resourcemanager.projects.get
resourcemanager.projects.list
Compute Security Admin
(roles/ compute.securityAdmin
)
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VM
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the security team's group.
Lowest-level resources where you can grant this role:
compute.backendBuckets.list
compute.backendServices.list
compute.firewallPolicies.*
compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instanceSettings.get
compute. instances. getEffectiveFirewalls
compute.instances.list
compute. instances. setShieldedInstanceIntegrityPolicy
compute. instances. setShieldedVmIntegrityPolicy
compute. instances. updateSecurity
compute. instances. updateShieldedInstanceConfig
compute. instances. updateShieldedVmConfig
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute. regionBackendServices. list
compute. regionFirewallPolicies.*
compute.regionOperations.get
compute.regionOperations.list
compute. regionSecurityPolicies.*
compute. regionSslCertificates.*
compute.regionSslPolicies.*
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetInstances.list
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Sole Tenant Viewer
(roles/ compute.soleTenantViewer
)
Permissions to view sole tenancy node groups
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
Compute Storage Admin
(roles/ compute.storageAdmin
)
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
this role to their account on the project.
Lowest-level resources where you can grant this role:
compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.instanceSettings.get
compute.instantSnapshots.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.storagePools.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Viewer
(roles/ compute.viewer
)
Read-only access to get and list Compute Engine resources, without
being able to read the data stored on them.
For example, an account with this role could inventory all of the disks in
a project, but it could not read any of the data on those disks.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Node group
Node template
Snapshot
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.futureReservations.get
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. get
compute. networkEdgeSecurityServices. list
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute. organizations. listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicAdvertisedPrefixes. get
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Shared VPC Admin
(roles/ compute.xpnAdmin
)
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
(roles/compute.networkUser
) to service owners, and the shared VPC host project owner
controls the project itself. Managing the project is easier if a single principal (individual or
group) can fulfill both roles.
Lowest-level resources where you can grant this role:
compute.globalOperations.get
compute.globalOperations.list
compute. organizations. disableXpnHost
compute. organizations. disableXpnResource
compute. organizations. enableXpnHost
compute. organizations. enableXpnResource
compute.projects.get
compute. subnetworks. getIamPolicy
compute. subnetworks. setIamPolicy
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
OS Config Admin
Beta
(roles/ osconfig.admin
)
Full access to OS Config resources
osconfig.*
GuestPolicy Admin
Beta
(roles/ osconfig.guestPolicyAdmin
)
Full admin access to GuestPolicies
osconfig.guestPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
GuestPolicy Editor
Beta
(roles/ osconfig.guestPolicyEditor
)
Editor of GuestPolicy resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.guestPolicies.update
resourcemanager.projects.get
resourcemanager.projects.list
GuestPolicy Viewer
Beta
(roles/ osconfig.guestPolicyViewer
)
Viewer of GuestPolicy resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
resourcemanager.projects.get
resourcemanager.projects.list
InstanceOSPoliciesCompliance Viewer
Beta
(roles/ osconfig.instanceOSPoliciesComplianceViewer
)
Viewer of OS Policies Compliance of VM instances
osconfig. instanceOSPoliciesCompliances.*
resourcemanager.projects.get
resourcemanager.projects.list
OS Inventory Viewer
(roles/ osconfig.inventoryViewer
)
Viewer of OS Inventories
osconfig.inventories.*
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Admin
(roles/ osconfig.osPolicyAssignmentAdmin
)
Full admin access to OS Policy Assignments
osconfig.osPolicyAssignments.*
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Editor
(roles/ osconfig.osPolicyAssignmentEditor
)
Editor of OS Policy Assignments
osconfig. osPolicyAssignments. get
osconfig. osPolicyAssignments. list
osconfig. osPolicyAssignments. searchPolicies
osconfig. osPolicyAssignments. update
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignmentReport Viewer
(roles/ osconfig.osPolicyAssignmentReportViewer
)
Viewer of OS policy assignment reports for VM instances
osconfig. osPolicyAssignmentReports.*
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Viewer
(roles/ osconfig.osPolicyAssignmentViewer
)
Viewer of OS Policy Assignments
osconfig. osPolicyAssignments. get
osconfig. osPolicyAssignments. list
osconfig. osPolicyAssignments. searchPolicies
resourcemanager.projects.get
resourcemanager.projects.list
PatchDeployment Admin
(roles/ osconfig.patchDeploymentAdmin
)
Full admin access to PatchDeployments
osconfig.patchDeployments.*
resourcemanager.projects.get
resourcemanager.projects.list
PatchDeployment Viewer
(roles/ osconfig.patchDeploymentViewer
)
Viewer of PatchDeployment resources
osconfig.patchDeployments.get
osconfig.patchDeployments.list
resourcemanager.projects.get
resourcemanager.projects.list
Patch Job Executor
(roles/ osconfig.patchJobExecutor
)
Access to execute Patch Jobs.
osconfig.patchJobs.*
resourcemanager.projects.get
resourcemanager.projects.list
Patch Job Viewer
(roles/ osconfig.patchJobViewer
)
Get and list Patch Jobs.
osconfig.patchJobs.get
osconfig.patchJobs.list
resourcemanager.projects.get
resourcemanager.projects.list
PolicyOrchestrator Admin
Beta
(roles/ osconfig.policyOrchestratorAdmin
)
Admin of PolicyOrchestrator resources
osconfig.locations.*
osconfig.operations.get
osconfig.policyOrchestrators.*
PolicyOrchestrator Viewer
Beta
(roles/ osconfig.policyOrchestratorViewer
)
Viewer of PolicyOrchestrator resources
osconfig.locations.*
osconfig.operations.get
osconfig. policyOrchestrators. get
osconfig. policyOrchestrators. list
Project Feature Settings Editor
(roles/ osconfig.projectFeatureSettingsEditor
)
Read/write access to project feature settings
osconfig. projectFeatureSettings.*
resourcemanager.projects.get
resourcemanager.projects.list
Project Feature Settings Viewer
(roles/ osconfig.projectFeatureSettingsViewer
)
Read access to project feature settings
osconfig. projectFeatureSettings. get
resourcemanager.projects.get
resourcemanager.projects.list
Upgrade Report Viewer
Beta
(roles/ osconfig.upgradeReportViewer
)
Provides read-only access to VM Manager Upgrade Reports
osconfig.upgradeReports.*
resourcemanager.projects.get
resourcemanager.projects.list
OS Config Viewer
Beta
(roles/ osconfig.viewer
)
Readonly access to OS Config resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig. instanceOSPoliciesCompliances.*
osconfig.inventories.*
osconfig.locations.*
osconfig.operations.get
osconfig.operations.list
osconfig. osPolicyAssignmentReports.*
osconfig. osPolicyAssignments. get
osconfig. osPolicyAssignments. list
osconfig. osPolicyAssignments. searchPolicies
osconfig.patchDeployments.get
osconfig.patchDeployments.list
osconfig.patchJobs.get
osconfig.patchJobs.list
osconfig. policyOrchestrators. get
osconfig. policyOrchestrators. list
osconfig. projectFeatureSettings. get
osconfig.upgradeReports.*
osconfig. vulnerabilityReports.*
OS VulnerabilityReport Viewer
(roles/ osconfig.vulnerabilityReportViewer
)
Viewer of OS VulnerabilityReports
osconfig. vulnerabilityReports.*
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis roles
Permissions
Container Analysis Admin
(roles/ containeranalysis.admin
)
Access to all Container Analysis resources.
containeranalysis. notes. attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis. notes. getIamPolicy
containeranalysis.notes.list
containeranalysis. notes. setIamPolicy
containeranalysis.notes.update
containeranalysis. occurrences.*
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Notes Attacher
(roles/ containeranalysis.notes.attacher
)
Can attach Container Analysis Occurrences to Notes.
containeranalysis. notes. attachOccurrence
containeranalysis.notes.get
Container Analysis Notes Editor
(roles/ containeranalysis.notes.editor
)
Can edit Container Analysis Notes.
containeranalysis. notes. attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences for Notes Viewer
(roles/ containeranalysis.notes.occurrences.viewer
)
Can view all Container Analysis Occurrences attached to a Note.
containeranalysis.notes.get
containeranalysis. notes. listOccurrences
Container Analysis Notes Viewer
(roles/ containeranalysis.notes.viewer
)
Can view Container Analysis Notes.
containeranalysis.notes.get
containeranalysis.notes.list
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Editor
(roles/ containeranalysis.occurrences.editor
)
Can edit Container Analysis Occurrences.
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Viewer
(roles/ containeranalysis.occurrences.viewer
)
Can view Container Analysis Occurrences.
containeranalysis. occurrences. get
containeranalysis. occurrences. list
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog roles
Permissions
Data Catalog Admin
(roles/ datacatalog.admin
)
Full access to all DataCatalog resources
bigquery.connections.get
bigquery.connections.updateTag
bigquery.datasets.get
bigquery.datasets.updateTag
bigquery.models.getMetadata
bigquery.models.updateTag
bigquery.routines.get
bigquery.routines.updateTag
bigquery.tables.get
bigquery.tables.updateTag
datacatalog.catalogs.searchAll
datacatalog. categories. getIamPolicy
datacatalog. categories. setIamPolicy
datacatalog.entries.*
datacatalog.entryGroups.*
datacatalog.migrationConfig.*
datacatalog.operations.list
datacatalog.relationships.*
datacatalog.tagTemplates.*
datacatalog.taxonomies.*
dataplex.projects.search
pubsub.topics.get
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
Policy Tag Admin
(roles/ datacatalog.categoryAdmin
)
Manage taxonomies
datacatalog. categories. getIamPolicy
datacatalog. categories. setIamPolicy
datacatalog.taxonomies.*
resourcemanager.projects.get
resourcemanager.projects.list
Fine-Grained Reader
(roles/ datacatalog.categoryFineGrainedReader
)
Read access to sub-resources tagged by a policy tag, for example, BigQuery columns
datacatalog. categories. fineGrainedGet
DataCatalog Data Steward
Beta
(roles/ datacatalog.dataSteward
)
Can update overview and data steward fields
datacatalog.entries.get
datacatalog.entries.list
datacatalog. entries. updateContacts
datacatalog. entries. updateOverview
datacatalog.entryGroups.get
datacatalog. migrationConfig. get
datacatalog.relationships.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Creator
(roles/ datacatalog.entryGroupCreator
)
Can create new entryGroups
datacatalog.entryGroups.create
datacatalog.entryGroups.get
datacatalog.entryGroups.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Owner
(roles/ datacatalog.entryGroupOwner
)
Full access to entryGroups
datacatalog.entries.*
datacatalog.entryGroups.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Owner
(roles/ datacatalog.entryOwner
)
Full access to entries
datacatalog.entries.*
datacatalog.entryGroups.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Viewer
(roles/ datacatalog.entryViewer
)
Read access to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog. migrationConfig. get
datacatalog.relationships.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Glossary Owner
Beta
(roles/ datacatalog.glossaryOwner
)
Full access to glossaries
datacatalog.entries.*
datacatalog.relationships.*
dataplex.projects.search
DataCatalog Glossary User
Beta
(roles/ datacatalog.glossaryUser
)
Can view glossaries and associate terms to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.relationships.*
dataplex.projects.search
DataCatalog Migration Config Admin
Beta
(roles/ datacatalog.migrationConfigAdmin
)
Full access to Migration Config
datacatalog.migrationConfig.*
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Search Admin
Beta
(roles/ datacatalog.searchAdmin
)
Can search all metadata for a project/org in DataCatalog
datacatalog.catalogs.searchAll
dataplex.projects.search
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Tag Editor
(roles/ datacatalog.tagEditor
)
Access to modify metadata tags for entries, as well as BigQuery and
Pub/Sub data assets
bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag
datacatalog.entries.updateTag
datacatalog. entryGroups. updateTag
pubsub.topics.updateTag
Data Catalog TagTemplate Creator
(roles/ datacatalog.tagTemplateCreator
)
Access to create new tag templates
datacatalog. tagTemplates. create
datacatalog.tagTemplates.get
dataplex.projects.search
Data Catalog TagTemplate Owner
(roles/ datacatalog.tagTemplateOwner
)
Full access to tag templates
datacatalog.tagTemplates.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate User
(roles/ datacatalog.tagTemplateUser
)
Access to apply a tag template to an entry (to modify tags, see Data Catalog Tag Editor)
datacatalog.tagTemplates.get
datacatalog. tagTemplates. getTag
datacatalog.tagTemplates.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate Viewer
(roles/ datacatalog.tagTemplateViewer
)
Read access to templates and tags created using the templates
datacatalog.tagTemplates.get
datacatalog. tagTemplates. getTag
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Viewer
(roles/ datacatalog.viewer
)
Provides metadata read access to catalogued Google Cloud assets for BigQuery
and Pub/Sub
bigquery.connections.get
bigquery.datasets.get
bigquery.models.getMetadata
bigquery.routines.get
bigquery.tables.get
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.entryGroups.list
datacatalog. migrationConfig. get
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.tagTemplates.get
datacatalog. tagTemplates. getTag
datacatalog.taxonomies.get
datacatalog.taxonomies.list
dataplex.projects.search
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.list
Data Connectors roles
Permissions
Connector Admin
Beta
(roles/ dataconnectors.connectorAdmin
)
Full access to Data Connectors.
dataconnectors.*
resourcemanager.projects.get
resourcemanager.projects.list
Connector User
Beta
(roles/ dataconnectors.connectorUser
)
Access to use Data Connectors.
dataconnectors.connectors.get
dataconnectors. connectors. getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.use
Data Migration roles
Permissions
Database Migration Admin
(roles/ datamigration.admin
)
Full access to all resources of Database Migration.
cloudaicompanion. entitlements. get
datamigration.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Pipelines roles
Permissions
Data pipelines Admin
(roles/ datapipelines.admin
)
Administrator of Data pipelines resources
datapipelines.*
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Invoker
(roles/ datapipelines.invoker
)
Invoker of Data pipelines jobs
datapipelines.pipelines.run
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Viewer
(roles/ datapipelines.viewer
)
Viewer of Data pipelines resources
datapipelines.jobs.list
datapipelines.pipelines.get
datapipelines.pipelines.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio roles
Permissions
Data Studio Admin
Beta
(roles/ datastudio.admin
)
Data Studio Admin
datastudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio Workspace Content Manager
Beta
(roles/ datastudio.contentManager
)
Content Manager of a Data Studio resource
datastudio.datasources.get
datastudio. datasources. getIamPolicy
datastudio.datasources.move
datastudio. datasources. restoreTrash
datastudio.datasources.search
datastudio. datasources. settingsShare
datastudio.datasources.share
datastudio.datasources.trash
datastudio.datasources.update
datastudio.reports.get
datastudio. reports. getIamPolicy
datastudio.reports.move
datastudio. reports. restoreTrash
datastudio.reports.search
datastudio. reports. settingsShare
datastudio.reports.share
datastudio.reports.trash
datastudio.reports.update
datastudio. workspaces. createUnder
datastudio.workspaces.get
datastudio. workspaces. getIamPolicy
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
Data Studio Workspace Contributor
Beta
(roles/ datastudio.contributor
)
Contributor of a Data Studio resource
datastudio.datasources.get
datastudio. datasources. getIamPolicy
datastudio. datasources. restoreTrash
datastudio.datasources.search
datastudio. datasources. settingsShare
datastudio.datasources.share
datastudio.datasources.update
datastudio.reports.get
datastudio. reports. getIamPolicy
datastudio. reports. restoreTrash
datastudio.reports.search
datastudio. reports. settingsShare
datastudio.reports.share
datastudio.reports.update
datastudio. workspaces. createUnder
datastudio.workspaces.get
datastudio. workspaces. getIamPolicy
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
Data Studio Asset Editor
Beta
(roles/ datastudio.editor
)
Editor of a Data Studio resource
datastudio.datasources.get
datastudio. datasources. getIamPolicy
datastudio.datasources.search
datastudio.datasources.update
datastudio.reports.get
datastudio. reports. getIamPolicy
datastudio.reports.search
datastudio.reports.update
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
Data Studio Workspace Manager
Beta
(roles/ datastudio.manager
)
Manager of a Data Studio resource
datastudio.*
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
Data Studio Asset Viewer
Beta
(roles/ datastudio.viewer
)
Viewer of a Data Studio resource
datastudio.datasources.get
datastudio.datasources.search
datastudio.reports.get
datastudio.reports.search
resourcemanager.projects.get
Data Studio Workspace Viewer
Beta
(roles/ datastudio.workspaceViewer
)
Viewer of a Data Studio Workspace
datastudio.datasources.get
datastudio.datasources.search
datastudio.reports.get
datastudio.reports.search
datastudio.workspaces.get
datastudio.workspaces.search
resourcemanager.projects.get
Looker Admin
Beta
(roles/ lookerstudio.lookerAdmin
)
Admin of Looker instance mapping to a Studio subscription
datastudio.*
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
Looker Studio Pro Manager
Beta
(roles/ lookerstudio.proManager
)
Looker Studio Pro Manager
lookerstudio.pro.manage
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager. projects. updateLiens
Dataflow roles
Permissions
Dataflow Admin
(roles/ dataflow.admin
)
Minimal role for creating and managing dataflow jobs.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender. dataflowDiagnosticsInsights.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Dataflow Developer
(roles/ dataflow.developer
)
Provides the permissions necessary to execute and manipulate
Dataflow jobs.
Lowest-level resources where you can grant this role:
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender. dataflowDiagnosticsInsights.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Viewer
(roles/ dataflow.viewer
)
Provides read-only access to all Dataflow-related
resources.
Lowest-level resources where you can grant this role:
dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.get
dataflow.snapshots.list
recommender. dataflowDiagnosticsInsights. get
recommender. dataflowDiagnosticsInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Worker
(roles/ dataflow.worker
)
Provides the permissions necessary for a Compute Engine service
account to execute work units for a Dataflow pipeline.
Lowest-level resources where you can grant this role:
autoscaling. sites. readRecommendations
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
compute. instanceGroupManagers. update
compute.instances.delete
compute. instances. setDiskAutoDelete
dataflow.jobs.get
dataflow.shuffle.*
dataflow.streamingWorkItems.*
dataflow.workItems.*
logging.logEntries.create
logging.logEntries.route
monitoring.timeSeries.create
storage.buckets.get
storage.objects.create
storage.objects.get
Permissions
(roles/ dataform.admin
)
Full access to all Dataform resources.
dataform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataform.codeCreator
)
Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataform.codeEditor
)
Edit access code resources.
dataform.locations.*
dataform.repositories.commit
dataform. repositories. computeAccessTokenStatus
dataform.repositories.create
dataform. repositories. fetchHistory
dataform. repositories. fetchRemoteBranches
dataform.repositories.get
dataform. repositories. getIamPolicy
dataform.repositories.list
dataform. repositories. queryDirectoryContents
dataform.repositories.readFile
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform. workspaces. fetchFileDiff
dataform. workspaces. fetchFileGitStatuses
dataform. workspaces. fetchGitAheadBehind
dataform.workspaces.get
dataform. workspaces. getIamPolicy
dataform. workspaces. installNpmPackages
dataform.workspaces.list
dataform. workspaces. makeDirectory
dataform. workspaces. moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform. workspaces. queryDirectoryContents
dataform.workspaces.readFile
dataform. workspaces. removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform. workspaces. searchFiles
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataform.codeOwner
)
Full access to code resources.
dataform.locations.*
dataform.repositories.*
dataform.workspaces.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataform.codeViewer
)
Read-only access to all code resources.
dataform.locations.*
dataform. repositories. computeAccessTokenStatus
dataform. repositories. fetchHistory
dataform. repositories. fetchRemoteBranches
dataform.repositories.get
dataform. repositories. getIamPolicy
dataform.repositories.list
dataform. repositories. queryDirectoryContents
dataform.repositories.readFile
dataform. workspaces. fetchFileDiff
dataform. workspaces. fetchFileGitStatuses
dataform. workspaces. fetchGitAheadBehind
dataform.workspaces.get
dataform. workspaces. getIamPolicy
dataform.workspaces.list
dataform. workspaces. queryDirectoryContents
dataform.workspaces.readFile
dataform. workspaces. searchFiles
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataform.editor
)
Edit access to Workspaces and Read-only access to Repositories.
dataform.compilationResults.*
dataform.config.get
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform. repositories. computeAccessTokenStatus
dataform. repositories. fetchHistory
dataform. repositories. fetchRemoteBranches
dataform.repositories.get
dataform. repositories. getIamPolicy
dataform.repositories.list
dataform. repositories. queryDirectoryContents
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowInvocations.*
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform. workspaces. fetchFileDiff
dataform. workspaces. fetchFileGitStatuses
dataform. workspaces. fetchGitAheadBehind
dataform.workspaces.get
dataform. workspaces. getIamPolicy
dataform. workspaces. installNpmPackages
dataform.workspaces.list
dataform. workspaces. makeDirectory
dataform. workspaces. moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform. workspaces. queryDirectoryContents
dataform.workspaces.readFile
dataform. workspaces. removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform. workspaces. searchFiles
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ dataform.viewer
)
Read-only access to all Dataform resources.
dataform. compilationResults. get
dataform. compilationResults. list
dataform. compilationResults. query
dataform.config.get
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform. repositories. computeAccessTokenStatus
dataform. repositories. fetchHistory
dataform. repositories. fetchRemoteBranches
dataform.repositories.get
dataform. repositories. getIamPolicy
dataform.repositories.list
dataform. repositories. queryDirectoryContents
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform. workflowInvocations. get
dataform. workflowInvocations. list
dataform. workflowInvocations. query
dataform. workspaces. fetchFileDiff
dataform. workspaces. fetchFileGitStatuses
dataform. workspaces. fetchGitAheadBehind
dataform.workspaces.get
dataform. workspaces. getIamPolicy
dataform.workspaces.list
dataform. workspaces. queryDirectoryContents
dataform.workspaces.readFile
dataform. workspaces. searchFiles
resourcemanager.projects.get
resourcemanager.projects.list
Dataprep roles
Permissions
Dataprep User
Beta
(roles/ dataprep.projects.user
)
Use of Dataprep.
dataprep.projects.use
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Dataproc roles
Permissions
Dataproc Administrator
(roles/ dataproc.admin
)
Full control of Dataproc resources.
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.*
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc. batches. sparkApplicationRead
dataproc.clusters.*
dataproc.jobs.*
dataproc.nodeGroups.*
dataproc.operations.*
dataproc.sessionTemplates.*
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc. sessions. sparkApplicationRead
dataproc.sessions.terminate
dataproc.workflowTemplates.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Editor
(roles/ dataproc.editor
)
Provides the permissions necessary for viewing the resources required to
manage Dataproc, including machine types, networks, projects,
and zones.
Lowest-level resources where you can grant this role:
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc. autoscalingPolicies. create
dataproc. autoscalingPolicies. delete
dataproc. autoscalingPolicies. get
dataproc. autoscalingPolicies. list
dataproc. autoscalingPolicies. update
dataproc. autoscalingPolicies. use
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc. batches. sparkApplicationRead
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc. sessions. sparkApplicationRead
dataproc.sessions.terminate
dataproc. workflowTemplates. create
dataproc. workflowTemplates. delete
dataproc.workflowTemplates.get
dataproc. workflowTemplates. instantiate
dataproc. workflowTemplates. instantiateInline
dataproc. workflowTemplates. list
dataproc. workflowTemplates. update
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Hub Agent
(roles/ dataproc.hubAgent
)
Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.
compute.instances.get
compute.instances.setMetadata
compute.instances.setTags
compute.zoneOperations.get
compute.zones.list
dataproc. autoscalingPolicies. get
dataproc. autoscalingPolicies. list
dataproc. autoscalingPolicies. use
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.create
logging.logEntries.list
logging.logEntries.route
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataproc serverless session user permissions
(roles/ dataproc.serverlessEditor
)
Permissions needed to run serverless sessions as a user
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Serverless Node.
(roles/ dataproc.serverlessNode
)
Node access to Dataproc Serverless sessions. Intended for service accounts.
dataproc. sessions. sparkApplicationRead
dataproc. sessions. sparkApplicationWrite
dataprocrm.nodePools.*
Dataproc serverless session view permissions
(roles/ dataproc.serverlessViewer
)
Permissions needed to view serverless sessions
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.batches.get
dataproc.batches.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessions.get
dataproc.sessions.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Viewer
(roles/ dataproc.viewer
)
Provides read-only access to Dataproc resources.
Lowest-level resources where you can grant this role:
compute.machineTypes.get
compute.regions.*
compute.zones.*
dataproc. autoscalingPolicies. get
dataproc. autoscalingPolicies. list
dataproc.batches.analyze
dataproc.batches.get
dataproc.batches.list
dataproc. batches. sparkApplicationRead
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.nodeGroups.get
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessions.get
dataproc.sessions.list
dataproc. sessions. sparkApplicationRead
dataproc.workflowTemplates.get
dataproc. workflowTemplates. list
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Worker
(roles/ dataproc.worker
)
Provides worker access to Dataproc resources. Intended for service accounts.
cloudprofiler.profiles.create
cloudprofiler.profiles.update
dataproc.agents.*
dataproc. batches. sparkApplicationWrite
dataproc. sessions. sparkApplicationWrite
dataproc.tasks.*
dataprocrm. nodes. mintOAuthToken
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Permissions
(roles/ metastore.admin
)
Full access to all Dataproc Metastore resources.
metastore.backups.*
metastore.federations.*
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore. services. getIamPolicy
metastore.services.list
metastore.services.restore
metastore. services. setIamPolicy
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ metastore.editor
)
Read and write access to all Dataproc Metastore resources.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.list
metastore.federations.update
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore. services. getIamPolicy
metastore.services.list
metastore.services.restore
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ metastore.federationAccessor
)
Access to the Metastore Federation resource.
metastore.federations.use
(roles/ metastore.metadataEditor
)
Access to read and modify the metadata of databases and tables under those databases.
metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore. databases. getIamPolicy
metastore.databases.list
metastore.databases.update
metastore.services.get
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.update
(roles/ metastore.metadataMutateAdmin
)
Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.
metastore. services. mutateMetadata
(roles/ metastore.metadataOperator
)
Read-only access to Dataproc Metastore resources with additional metadata operations permission.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.imports.*
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore. services. getIamPolicy
metastore.services.list
metastore.services.restore
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ metastore.metadataOwner
)
Full access to the metadata of databases and tables under those databases.
metastore.databases.*
metastore.services.get
metastore. services. getIamPolicy
metastore.services.list
metastore.services.use
metastore.tables.*
(roles/ metastore.metadataQueryAdmin
)
Access to query metadata from a Dataproc Metastore service's underlying metadata store.
metastore. services. queryMetadata
(roles/ metastore.metadataUser
)
Access to the Dataproc Metastore gRPC endpoint
metastore.databases.get
metastore.databases.list
metastore.services.get
metastore.services.use
(roles/ metastore.metadataViewer
)
Access to read the metadata of databases and tables under those databases
metastore.databases.get
metastore. databases. getIamPolicy
metastore.databases.list
metastore.services.get
metastore.services.use
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
(roles/ metastore.migrationAdmin
)
Access to Dataproc Metastore Managed Migration resources and workflow.
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
compute.autoscalers.create
compute.autoscalers.delete
compute.disks.create
compute.disks.delete
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.use
compute. instanceGroupManagers. create
compute. instanceGroupManagers. delete
compute. instanceGroupManagers. use
compute.instanceGroups.delete
compute.instanceGroups.use
compute. instanceTemplates. create
compute. instanceTemplates. delete
compute.instanceTemplates.get
compute. instanceTemplates. useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.machineTypes.list
compute. regionBackendServices. create
compute. regionBackendServices. delete
compute. regionBackendServices. use
compute. regionHealthChecks. create
compute. regionHealthChecks. delete
compute.regionHealthChecks.use
compute. regionHealthChecks. useReadOnly
compute. serviceAttachments. create
compute. serviceAttachments. delete
compute.subnetworks.get
compute.subnetworks.use
compute.zones.list
datastream. connectionProfiles. create
datastream. connectionProfiles. delete
datastream.objects.*
datastream.operations.get
datastream. privateConnections. create
datastream. privateConnections. delete
datastream.streams.create
datastream.streams.delete
datastream.streams.get
datastream.streams.update
(roles/ metastore.user
)
Read-only access to all Dataproc Metastore resources.
metastore.backups.get
metastore.backups.list
metastore.federations.get
metastore. federations. getIamPolicy
metastore.federations.list
metastore.imports.get
metastore.imports.list
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore. services. getIamPolicy
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list
Datastore roles
Permissions
Cloud Datastore Backup Schedules Admin
(roles/ datastore.backupSchedulesAdmin
)
Manage backup schedules in Cloud Datastore.
datastore.backupSchedules.*
datastore. databases. getMetadata
datastore.databases.list
Cloud Datastore Backup Schedules Viewer
(roles/ datastore.backupSchedulesViewer
)
Read access to backup schedules in Cloud Datastore.
datastore.backupSchedules.get
datastore.backupSchedules.list
Cloud Datastore Backups Admin
(roles/ datastore.backupsAdmin
)
Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed.
datastore.backups.delete
datastore.backups.get
datastore.backups.list
Cloud Datastore Backups Viewer
(roles/ datastore.backupsViewer
)
Read access to metadata about backups in Cloud Datastore.
datastore.backups.get
datastore.backups.list
Cloud Datastore Bulk Admin
(roles/ datastore.bulkAdmin
)
Full access to manage bulk operations.
datastore.databases.bulkDelete
datastore. databases. getMetadata
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Import Export Admin
(roles/ datastore.importExportAdmin
)
Provides full access to manage imports and exports.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.export
datastore. databases. getMetadata
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Index Admin
(roles/ datastore.indexAdmin
)
Provides full access to manage index definitions.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore. databases. getMetadata
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Key Visualizer Viewer
(roles/ datastore.keyVisualizerViewer
)
Full access to Key Visualizer scans.
datastore. databases. getMetadata
datastore.keyVisualizerScans.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Owner
(roles/ datastore.owner
)
Provides full access to Datastore resources.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Restore Admin
(roles/ datastore.restoreAdmin
)
Restore into Cloud Datastore Databases from Cloud Datastore Backups.
datastore.backups.get
datastore.backups.list
datastore. backups. restoreDatabase
datastore.databases.create
datastore. databases. getMetadata
datastore.databases.list
datastore.operations.get
datastore.operations.list
Cloud Datastore User
(roles/ datastore.user
)
Provides read/write access to data in a Datastore database.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.get
datastore. databases. getMetadata
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Viewer
(roles/ datastore.viewer
)
Provides read access to Datastore resources.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.get
datastore. databases. getMetadata
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
DataStream roles
Permissions
Datastream Admin
(roles/ datastream.admin
)
Full access to all Datastream resources.
datastream.*
resourcemanager.projects.get
resourcemanager.projects.list
Datastream Viewer
(roles/ datastream.viewer
)
Read-only access to all Datastream resources.
datastream. connectionProfiles. destinationTypes
datastream. connectionProfiles. discover
datastream. connectionProfiles. get
datastream. connectionProfiles. getIamPolicy
datastream. connectionProfiles. list
datastream. connectionProfiles. listEffectiveTags
datastream. connectionProfiles. listStaticServiceIps
datastream. connectionProfiles. listTagBindings
datastream. connectionProfiles. sourceTypes
datastream.locations.*
datastream.objects.get
datastream.objects.list
datastream.operations.get
datastream.operations.list
datastream. privateConnections. get
datastream. privateConnections. getIamPolicy
datastream. privateConnections. list
datastream. privateConnections. listEffectiveTags
datastream. privateConnections. listTagBindings
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.streams.fetchErrors
datastream.streams.get
datastream. streams. getIamPolicy
datastream.streams.list
datastream. streams. listEffectiveTags
datastream. streams. listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
Deployment Manager roles
Permissions
Deployment Manager Editor
(roles/ deploymentmanager.editor
)
Provides the permissions necessary to create and manage deployments.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes.*
deploymentmanager. deployments. cancelPreview
deploymentmanager. deployments. create
deploymentmanager. deployments. delete
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager. deployments. stop
deploymentmanager. deployments. update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager. typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Deployment Manager Type Editor
(roles/ deploymentmanager.typeEditor
)
Provides read and write access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes.*
deploymentmanager. operations. get
deploymentmanager. typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Type Viewer
(roles/ deploymentmanager.typeViewer
)
Provides read-only access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes. get
deploymentmanager. compositeTypes. list
deploymentmanager. typeProviders. get
deploymentmanager. typeProviders. getType
deploymentmanager. typeProviders. list
deploymentmanager. typeProviders. listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Viewer
(roles/ deploymentmanager.viewer
)
Provides read-only access to all Deployment Manager-related
resources.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes. get
deploymentmanager. compositeTypes. list
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager. typeProviders. get
deploymentmanager. typeProviders. getType
deploymentmanager. typeProviders. list
deploymentmanager. typeProviders. listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Dialogflow roles
Permissions
CX Premium Admin
(roles/ dialogflow.aamAdmin
)
An admin has access to all resources and can perform all administrative actions in an AAM project.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow. agents. searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow. phoneNumberOrders. get
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow. securitySettings. get
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. get
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. get
dialogflow. smartMessagingEntries. list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow. transitionRouteGroups. get
dialogflow. transitionRouteGroups. list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Conversational Architect
(roles/ dialogflow.aamConversationalArchitect
)
A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow. agents. searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow. phoneNumberOrders. get
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow. securitySettings. get
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. get
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. get
dialogflow. smartMessagingEntries. list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow. transitionRouteGroups. get
dialogflow. transitionRouteGroups. list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Dialog Designer
(roles/ dialogflow.aamDialogDesigner
)
A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow. agents. searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow. phoneNumberOrders. get
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow. securitySettings. get
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. get
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. get
dialogflow. smartMessagingEntries. list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow. transitionRouteGroups. get
dialogflow. transitionRouteGroups. list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Lead Dialog Designer
(roles/ dialogflow.aamLeadDialogDesigner
)
A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow. agents. searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow. phoneNumberOrders. get
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow. securitySettings. get
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. get
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. get
dialogflow. smartMessagingEntries. list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow. transitionRouteGroups. get
dialogflow. transitionRouteGroups. list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Viewer
(roles/ dialogflow.aamViewer
)
A user can view the taxonomy and data reports in an AAM project.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow. agents. searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow. phoneNumberOrders. get
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow. securitySettings. get
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. get
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. get
dialogflow. smartMessagingEntries. list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow. transitionRouteGroups. get
dialogflow. transitionRouteGroups. list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow API Admin
(roles/ dialogflow.admin
)
Grant to Dialogflow API admins
that need full access to Dialogflow-specific resources.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.*
resourcemanager.projects.get
Dialogflow Agent Assist Client
(roles/ dialogflow.agentAssistClient
)
Can create and handle live conversations using Agent Assist features.
dialogflow.answerrecords.*
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.generators.get
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.participants.*
dialogflow. sessions. detectIntent
Dialogflow API Client
(roles/ dialogflow.client
)
Grant to Dialogflow API clients
that perform Dialogflow-specific edits and detect intent calls
using the API.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.contexts.*
dialogflow.conversations.*
dialogflow. environments. runContinuousTest
dialogflow.messages.list
dialogflow.participants.*
dialogflow. sessionEntityTypes.*
dialogflow.sessions.*
Dialogflow Console Agent Editor
(roles/ dialogflow.consoleAgentEditor
)
Grant to Dialogflow Console editors
that edit existing agents.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
actions.agentVersions.create
dialogflow.*
resourcemanager.projects.get
Dialogflow Console Simulator User
(roles/ dialogflow.consoleSimulatorUser
)
Can perform query of dialogflow suggestions in the simulator in web console.
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.participants.*
dialogflow. sessions. detectIntent
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow Console Smart Messaging Allowlist Editor
(roles/ dialogflow.consoleSmartMessagingAllowlistEditor
)
Can edit allowlist for smart messaging associated with conversation model in the agent assist console
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.operations.get
dialogflow. smartMessagingEntries.*
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow Conversation Manager
(roles/ dialogflow.conversationManager
)
Can manage all the resources related to Dialogflow Conversations.
dialogflow. conversationProfiles.*
dialogflow.conversations.*
dialogflow.participants.*
Dialogflow Entity Type Admin
(roles/ dialogflow.entityTypeAdmin
)
Can read & write entity types.
dialogflow.entityTypes.*
Dialogflow Environment editor
(roles/ dialogflow.environmentEditor
)
Can read & update environment and its sub-resources.
dialogflow.deployments.*
dialogflow.environments.get
dialogflow. environments. getHistory
dialogflow.environments.list
dialogflow. environments. lookupHistory
dialogflow. environments. runContinuousTest
dialogflow.environments.update
dialogflow.experiments.*
Dialogflow Flow editor
(roles/ dialogflow.flowEditor
)
Can read & update flow and its sub-resources.
dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.pages.*
dialogflow. transitionRouteGroups.*
dialogflow.versions.*
Dialogflow Integration Manager
(roles/ dialogflow.integrationManager
)
Can add, remove, enable and disable Dialogflow integrations.
dialogflow.integrations.*
Dialogflow Intent Admin
(roles/ dialogflow.intentAdmin
)
Can read & write intents.
dialogflow.intents.*
Dialogflow API Reader
(roles/ dialogflow.reader
)
Grant to Dialogflow API clients
that perform Dialogflow-specific read-only calls
using the API.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow. agents. searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles. get
dialogflow. conversationProfiles. list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow. phoneNumberOrders. get
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow. securitySettings. get
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. get
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. get
dialogflow. smartMessagingEntries. list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow. transitionRouteGroups. get
dialogflow. transitionRouteGroups. list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
Dialogflow Test Case Admin
(roles/ dialogflow.testCaseAdmin
)
Can read & write test cases.
dialogflow.testcases.*
Dialogflow Webhook Admin
(roles/ dialogflow.webhookAdmin
)
Can read & write webhooks.
dialogflow.webhooks.*
DNS roles
Permissions
DNS Administrator
(roles/ dns.admin
)
Provides read-write access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list
DNS Peer
(roles/ dns.peer
)
Access to target networks with DNS peering zones
dns. networks. targetWithPeeringZone
DNS Reader
(roles/ dns.reader
)
Provides read-only access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.get
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicyRules.get
dns.responsePolicyRules.list
resourcemanager.projects.get
resourcemanager.projects.list
Document AI roles
Permissions
Document AI Administrator
Beta
(roles/ documentai.admin
)
Grants full access to all resources in Document AI
documentai.*
resourcemanager.projects.get
resourcemanager.projects.list
Document AI API User
Beta
(roles/ documentai.apiUser
)
Grants access to process documents in Document AI
documentai. humanReviewConfigs. review
documentai. operations. getLegacy
documentai. processorVersions. processBatch
documentai. processorVersions. processOnline
documentai. processors. processBatch
documentai. processors. processOnline
Document AI Editor
Beta
(roles/ documentai.editor
)
Grants access to use all resources in Document AI
documentai.*
resourcemanager.projects.get
resourcemanager.projects.list
Document AI Viewer
Beta
(roles/ documentai.viewer
)
Grants access to view all resources and process documents in Document AI
documentai. dataLabelingJobs. list
documentai.datasetSchemas.get
documentai.datasets.get
documentai. datasets. getDocuments
documentai. datasets. listDocuments
documentai. evaluationDocuments. get
documentai.evaluations.get
documentai.evaluations.list
documentai. humanReviewConfigs. get
documentai. humanReviewConfigs. review
documentai.labelerPools.get
documentai.labelerPools.list
documentai.locations.*
documentai. operations. getLegacy
documentai. processedDocumentsSets.*
documentai.processorTypes.*
documentai. processorVersions. get
documentai. processorVersions. list
documentai. processorVersions. processBatch
documentai. processorVersions. processOnline
documentai. processors. fetchHumanReviewDetails
documentai.processors.get
documentai.processors.list
documentai. processors. processBatch
documentai. processors. processOnline
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine roles
Permissions
Earth Engine Resource Admin
Beta
(roles/ earthengine.admin
)
Full access to all Earth Engine resource features
earthengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine Apps Publisher
Beta
(roles/ earthengine.appsPublisher
)
Publisher of Earth Engine Apps
iam.serviceAccounts.create
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam. serviceAccounts. getIamPolicy
iam. serviceAccounts. setIamPolicy
resourcemanager.projects.get
serviceusage.services.get
Earth Engine Resource Viewer
Beta
(roles/ earthengine.viewer
)
Viewer of all Earth Engine resources
earthengine.assets.get
earthengine. assets. getIamPolicy
earthengine.assets.list
earthengine. computations. create
earthengine.config.get
earthengine. filmstripthumbnails. get
earthengine.maps.get
earthengine.operations.get
earthengine.operations.list
earthengine.tables.get
earthengine.thumbnails.get
earthengine. videothumbnails. get
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine Resource Writer
Beta
(roles/ earthengine.writer
)
Writer of all Earth Engine resources
earthengine.assets.create
earthengine.assets.delete
earthengine.assets.get
earthengine. assets. getIamPolicy
earthengine.assets.list
earthengine.assets.update
earthengine. computations. create
earthengine.config.*
earthengine.exports.create
earthengine. featureviews. create
earthengine. filmstripthumbnails.*
earthengine.imports.create
earthengine.maps.*
earthengine.operations.*
earthengine.tables.*
earthengine.thumbnails.*
earthengine.videothumbnails.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container roles
Permissions
Edge Container Admin
(roles/ edgecontainer.admin
)
Full access to Edge Container all resources.
edgecontainer.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Machine User
(roles/ edgecontainer.machineUser
)
Access to use Edge Container Machine resources.
edgecontainer.machines.get
edgecontainer. machines. getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.use
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Cluster offline Credential User
(roles/ edgecontainer.offlineCredentialUser
)
Access to get Edge Container cluster offline credentials
edgecontainer. clusters. generateOfflineCredential
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Viewer
(roles/ edgecontainer.viewer
)
Read-only access to Edge Container all resources.
edgecontainer. clusters. generateAccessToken
edgecontainer.clusters.get
edgecontainer. clusters. getIamPolicy
edgecontainer.clusters.list
edgecontainer.locations.*
edgecontainer.machines.get
edgecontainer. machines. getIamPolicy
edgecontainer.machines.list
edgecontainer.nodePools.get
edgecontainer. nodePools. getIamPolicy
edgecontainer.nodePools.list
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.serverconfig.get
edgecontainer. vpnConnections. get
edgecontainer. vpnConnections. getIamPolicy
edgecontainer. vpnConnections. list
resourcemanager.projects.get
resourcemanager.projects.list
Edge Network roles
Permissions
Edge Network Admin
(roles/ edgenetwork.admin
)
Full access to Edge Network all resources.
edgenetwork.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Network Viewer
(roles/ edgenetwork.viewer
)
Read-only access to Edge Network all resources.
edgenetwork. interconnectAttachments. get
edgenetwork. interconnectAttachments. getIamPolicy
edgenetwork. interconnectAttachments. list
edgenetwork.interconnects.get
edgenetwork. interconnects. getDiagnostics
edgenetwork. interconnects. getIamPolicy
edgenetwork.interconnects.list
edgenetwork.locations.*
edgenetwork.networks.get
edgenetwork. networks. getIamPolicy
edgenetwork.networks.getStatus
edgenetwork.networks.list
edgenetwork.operations.get
edgenetwork.operations.list
edgenetwork.routers.get
edgenetwork. routers. getIamPolicy
edgenetwork. routers. getRouterStatus
edgenetwork.routers.list
edgenetwork.routes.get
edgenetwork.routes.list
edgenetwork.subnetworks.get
edgenetwork. subnetworks. getIamPolicy
edgenetwork. subnetworks. getStatus
edgenetwork.subnetworks.list
edgenetwork.zones.get
edgenetwork.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph roles
Permissions
Enterprise Knowledge Graph Admin
Beta
(roles/ enterpriseknowledgegraph.admin
)
Administrator of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph Editor
Beta
(roles/ enterpriseknowledgegraph.editor
)
Editor of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph Viewer
Beta
(roles/ enterpriseknowledgegraph.viewer
)
Viewer of Enterprise Knowledge Graph resources
enterpriseknowledgegraph. cloudKnowledgeGraphEntities.*
enterpriseknowledgegraph. entityReconciliationJobs. get
enterpriseknowledgegraph. entityReconciliationJobs. list
enterpriseknowledgegraph. publicKnowledgeGraphEntities.*
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting roles
Permissions
Error Reporting Admin
Beta
(roles/ errorreporting.admin
)
Provides full access to Error Reporting data.
Lowest-level resources where you can grant this role:
cloudnotifications. activities. list
errorreporting.*
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting User
Beta
(roles/ errorreporting.user
)
Provides the permissions to read and write Error Reporting data, except
for sending new error events.
Lowest-level resources where you can grant this role:
cloudnotifications. activities. list
errorreporting. applications. list
errorreporting. errorEvents. delete
errorreporting. errorEvents. list
errorreporting.groupMetadata.*
errorreporting.groups.list
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting Viewer
Beta
(roles/ errorreporting.viewer
)
Provides read-only access to Error Reporting data.
Lowest-level resources where you can grant this role:
cloudnotifications. activities. list
errorreporting. applications. list
errorreporting. errorEvents. list
errorreporting. groupMetadata. get
errorreporting.groups.list
logging.notificationRules.get
logging.notificationRules.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting Writer
Beta
(roles/ errorreporting.writer
)
Provides the permissions to send error events to Error Reporting.
Lowest-level resources where you can grant this role:
errorreporting. errorEvents. create
Eventarc roles
Permissions
Eventarc Admin
(roles/ eventarc.admin
)
Full control over all Eventarc resources.
Lowest-level resources where you can grant this role:
eventarc.*
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Connection Publisher
Beta
(roles/ eventarc.connectionPublisher
)
Can publish events to Eventarc channel connections.
Lowest-level resources where you can grant this role:
eventarc. channelConnections. get
eventarc. channelConnections. list
eventarc. channelConnections. publish
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Developer
(roles/ eventarc.developer
)
Access to read and write Eventarc resources.
Lowest-level resources where you can grant this role:
eventarc. channelConnections. create
eventarc. channelConnections. delete
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc. channelConnections. publish
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.enrollments.update
eventarc. googleApiSources. create
eventarc. googleApiSources. delete
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleApiSources. update
eventarc. googleChannelConfigs.*
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Event Receiver
(roles/ eventarc.eventReceiver
)
Can receive events from all event providers.
Lowest-level resources where you can grant this role:
eventarc.events.*
Eventarc Message Bus Admin
Beta
(roles/ eventarc.messageBusAdmin
)
Full control over Message Buses resources.
eventarc.messageBuses.create
eventarc.messageBuses.delete
eventarc.messageBuses.get
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.update
eventarc.messageBuses.use
Eventarc Message Bus User
Beta
(roles/ eventarc.messageBusUser
)
Access to publish to or bind to a Message Bus.
eventarc.messageBuses.get
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.use
Eventarc Publisher
Beta
(roles/ eventarc.publisher
)
Can publish events to Eventarc channels.
Lowest-level resources where you can grant this role:
eventarc.channels.get
eventarc.channels.list
eventarc.channels.publish
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Viewer
(roles/ eventarc.viewer
)
Can view the state of all Eventarc resources, including IAM policies.
Lowest-level resources where you can grant this role:
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleChannelConfigs. get
eventarc.locations.*
eventarc.messageBuses.get
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase roles
Permissions
Firebase Admin
(roles/ firebase.admin
)
Full access to Firebase products.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig. clients. create
clientauthconfig. clients. delete
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig. clients. update
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudconfig.*
cloudfunctions.*
cloudmessaging.messages.create
cloudnotifications. activities. list
cloudtestservice. environmentcatalog. get
cloudtestservice.matrices.*
cloudtoolresults.*
datastore.*
errorreporting.groups.list
eventarc.*
fcmdata.deliverydata.list
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseappcheck.*
firebaseappdistro.*
firebaseauth.*
firebasecrash.*
firebasecrashlytics.*
firebasedatabase.*
firebasedataconnect.*
firebasedynamiclinks.*
firebaseextensions.*
firebaseextensionspublisher.*
firebasehosting.*
firebaseinappmessaging.*
firebasemessagingcampaigns.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
orgpolicy.policy.get
recommender. cloudFunctionsPerformanceInsights.*
recommender. cloudFunctionsPerformanceRecommendations.*
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
remotebuildexecution.blobs.get
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Firebase Analytics Admin
(roles/ firebase.analyticsAdmin
)
Full access to Google Analytics for Firebase.
cloudnotifications. activities. list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions. configs. list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Firebase Analytics Viewer
(roles/ firebase.analyticsViewer
)
Read access to Google Analytics for Firebase.
cloudnotifications. activities. list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics. resources. googleAnalyticsReadAndAnalyze
firebaseextensions. configs. list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Firebase Develop Admin
(roles/ firebase.developAdmin
)
Full access to Firebase Develop products and Analytics.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.*
cloudnotifications. activities. list
datastore.*
errorreporting.groups.list
eventarc.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappcheck.*
firebaseauth.*
firebasedatabase.*
firebasedataconnect.*
firebaseextensions. configs. list
firebasehosting.*
firebaseml.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
orgpolicy.policy.get
recommender. cloudFunctionsPerformanceInsights.*
recommender. cloudFunctionsPerformanceRecommendations.*
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
remotebuildexecution.blobs.get
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Firebase Develop Viewer
(roles/ firebase.developViewer
)
Read access to Firebase Develop products and Analytics.
apikeys.keys.get
apikeys.keys.list
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl. humanAnnotationTasks. get
automl. humanAnnotationTasks. list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.functions.get
cloudfunctions. functions. getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
cloudnotifications. activities. list
datastore.databases.get
datastore. databases. getMetadata
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
errorreporting.groups.list
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleChannelConfigs. get
eventarc.locations.*
eventarc.messageBuses.get
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics. resources. googleAnalyticsReadAndAnalyze
firebaseappcheck. appAttestConfig. get
firebaseappcheck. debugTokens. get
firebaseappcheck. deviceCheckConfig. get
firebaseappcheck. playIntegrityConfig. get
firebaseappcheck. recaptchaEnterpriseConfig. get
firebaseappcheck. recaptchaV3Config. get
firebaseappcheck. resourcePolicies. get
firebaseappcheck. safetyNetConfig. get
firebaseappcheck.services.get
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase. instances. list
firebasedataconnect. connectorRevisions. get
firebasedataconnect. connectorRevisions. list
firebasedataconnect. connectors. get
firebasedataconnect. connectors. list
firebasedataconnect. locations.*
firebasedataconnect. operations. get
firebasedataconnect. operations. list
firebasedataconnect. schemaRevisions. get
firebasedataconnect. schemaRevisions. list
firebasedataconnect. schemas. get
firebasedataconnect. schemas. list
firebasedataconnect. services. get
firebasedataconnect. services. list
firebaseextensions. configs. list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage. defaultBucket. get
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
recommender. cloudFunctionsPerformanceInsights. get
recommender. cloudFunctionsPerformanceInsights. list
recommender. cloudFunctionsPerformanceRecommendations. get
recommender. cloudFunctionsPerformanceRecommendations. list
recommender.locations.*
recommender. runServiceCostInsights. get
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. get
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. get
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. get
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. get
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. get
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. get
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. get
recommender. runServiceSecurityRecommendations. list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Firebase Grow Admin
(roles/ firebase.growthAdmin
)
Full access to Firebase Grow products and Analytics.
apikeys.keys.get
apikeys.keys.list
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudmessaging.messages.create
cloudnotifications. activities. list
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions. configs. list
firebaseinappmessaging.*
firebasemessagingcampaigns.*
firebasenotifications.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Grow Viewer
(roles/ firebase.growthViewer
)
Read access to Firebase Grow products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudconfig.configs.get
cloudnotifications. activities. list
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt. experimentresults. get
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt. projectmetadata. get
firebaseanalytics. resources. googleAnalyticsReadAndAnalyze
firebasedynamiclinks. destinations. list
firebasedynamiclinks. domains. get
firebasedynamiclinks. domains. list
firebasedynamiclinks.links.get
firebasedynamiclinks. links. list
firebasedynamiclinks.stats.get
firebaseextensions. configs. list
firebaseinappmessaging. campaigns. get
firebaseinappmessaging. campaigns. list
firebasemessagingcampaigns. campaigns. get
firebasemessagingcampaigns. campaigns. list
firebasenotifications. messages. get
firebasenotifications. messages. list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Quality Admin
(roles/ firebase.qualityAdmin
)
Full access to Firebase Quality products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudnotifications. activities. list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappdistro.*
firebasecrash.*
firebasecrashlytics.*
firebaseextensions. configs. list
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Quality Viewer
(roles/ firebase.qualityViewer
)
Read access to Firebase Quality products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudnotifications. activities. list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics. resources. googleAnalyticsReadAndAnalyze
firebaseappdistro.groups.list
firebaseappdistro. releases. list
firebaseappdistro.testers.list
firebasecrash.reports.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics. issues. list
firebasecrashlytics. sessions. get
firebaseextensions. configs. list
firebaseperformance.data.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Admin SDK Administrator Service Agent
(roles/ firebase.sdkAdminServiceAgent
)
Read and write access to Firebase products available in the Admin SDK
appengine.applications.get
cloudconfig.*
cloudmessaging.messages.create
datastore.databases.get
datastore. databases. getMetadata
datastore.databases.list
datastore.entities.*
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
firebase.clients.*
firebase.projects.get
firebase.projects.update
firebaseappcheck.*
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.*
firebasedatabase.*
firebasedataconnect.*
firebasehosting.*
firebaseml.*
firebasenotifications.*
firebaserules.releases.get
firebaserules.releases.list
firebaserules.releases.update
firebaserules.rulesets.create
firebaserules.rulesets.delete
firebaserules.rulesets.get
firebaserules.rulesets.list
identitytoolkit.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager. projects. update
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Firebase SDK Provisioning Service Agent
(roles/ firebase.sdkProvisioningServiceAgent
)
Access to provision apps with the Admin SDK.
apikeys.keys.list
clientauthconfig.clients.list
cloudmessaging.messages.create
firebase.clients.create
servicemanagement. services. bind
serviceusage.services.enable
serviceusage.services.get
Firebase Viewer
(roles/ firebase.viewer
)
Read-only access to Firebase products.
apikeys.keys.get
apikeys.keys.list
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl. humanAnnotationTasks. get
automl. humanAnnotationTasks. list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions. functions. getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
cloudnotifications. activities. list
cloudtestservice. environmentcatalog. get
cloudtestservice.matrices.get
cloudtoolresults. executions. get
cloudtoolresults. executions. list
cloudtoolresults.histories.get
cloudtoolresults. histories. list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore. databases. getMetadata
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
errorreporting.groups.list
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleChannelConfigs. get
eventarc.locations.*
eventarc.messageBuses.get
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt. experimentresults. get
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt. projectmetadata. get
firebaseanalytics. resources. googleAnalyticsReadAndAnalyze
firebaseappcheck. appAttestConfig. get
firebaseappcheck. debugTokens. get
firebaseappcheck. deviceCheckConfig. get
firebaseappcheck. playIntegrityConfig. get
firebaseappcheck. recaptchaEnterpriseConfig. get
firebaseappcheck. recaptchaV3Config. get
firebaseappcheck. resourcePolicies. get
firebaseappcheck. safetyNetConfig. get
firebaseappcheck.services.get
firebaseappdistro.groups.list
firebaseappdistro. releases. list
firebaseappdistro.testers.list
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics. issues. list
firebasecrashlytics. sessions. get
firebasedatabase.instances.get
firebasedatabase. instances. list
firebasedataconnect. connectorRevisions. get
firebasedataconnect. connectorRevisions. list
firebasedataconnect. connectors. get
firebasedataconnect. connectors. list
firebasedataconnect. locations.*
firebasedataconnect. operations. get
firebasedataconnect. operations. list
firebasedataconnect. schemaRevisions. get
firebasedataconnect. schemaRevisions. list
firebasedataconnect. schemas. get
firebasedataconnect. schemas. list
firebasedataconnect. services. get
firebasedataconnect. services. list
firebasedynamiclinks. destinations. list
firebasedynamiclinks. domains. get
firebasedynamiclinks. domains. list
firebasedynamiclinks.links.get
firebasedynamiclinks. links. list
firebasedynamiclinks.stats.get
firebaseextensions. configs. list
firebaseextensionspublisher. extensions. get
firebaseextensionspublisher. extensions. list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging. campaigns. get
firebaseinappmessaging. campaigns. list
firebasemessagingcampaigns. campaigns. get
firebasemessagingcampaigns. campaigns. list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications. messages. get
firebasenotifications. messages. list
firebaseperformance.data.get
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage. defaultBucket. get
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
recommender. cloudFunctionsPerformanceInsights. get
recommender. cloudFunctionsPerformanceInsights. list
recommender. cloudFunctionsPerformanceRecommendations. get
recommender. cloudFunctionsPerformanceRecommendations. list
recommender.locations.*
recommender. runServiceCostInsights. get
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. get
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. get
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. get
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. get
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. get
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. get
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. get
recommender. runServiceSecurityRecommendations. list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Firebase App Check Service Agent
(roles/ firebaseappcheck.serviceAgent
)
Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API.
recaptchaenterprise. assessments.*
serviceusage.services.use
Firebase Extensions API Service Agent
(roles/ firebasemods.serviceAgent
)
Grants Firebase Extensions API Service Account access to manage resources.
appengine.applications.get
artifactregistry. packages. delete
cloudfunctions. functions. getIamPolicy
cloudfunctions. functions. setIamPolicy
cloudtasks.locations.*
cloudtasks.queues.*
cloudtasks.tasks.create
cloudtasks.tasks.fullView
deploymentmanager. compositeTypes.*
deploymentmanager. deployments. cancelPreview
deploymentmanager. deployments. create
deploymentmanager. deployments. delete
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager. deployments. stop
deploymentmanager. deployments. update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager. typeProviders.*
deploymentmanager.types.*
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.setIamPolicy
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager. projects. updateLiens
run.services.getIamPolicy
run.services.setIamPolicy
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Firebase Products roles
Permissions
Firebase Remote Config Admin
(roles/ cloudconfig.admin
)
Full access to Firebase Remote Config resources.
cloudconfig.*
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Remote Config Viewer
(roles/ cloudconfig.viewer
)
Read access to Firebase Remote Config resources.
cloudconfig.configs.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Direct Access Admin
Beta
(roles/ cloudtestservice.directAccessAdmin
)
Administrator owning access to Direct Access
cloudtestservice. devicesession.*
cloudtestservice. environmentcatalog. get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Direct Access Viewer
Beta
(roles/ cloudtestservice.directAccessViewer
)
Viewer, able to see what direct access sessions exist
cloudtestservice. devicesession. get
cloudtestservice. devicesession. list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Admin
(roles/ cloudtestservice.testAdmin
)
Full access to all Test Lab features
cloudtestservice. environmentcatalog. get
cloudtestservice.matrices.*
cloudtoolresults.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Firebase Test Lab Viewer
(roles/ cloudtestservice.testViewer
)
Read access to Test Lab features
cloudtestservice. environmentcatalog. get
cloudtestservice.matrices.get
cloudtoolresults. executions. get
cloudtoolresults. executions. list
cloudtoolresults.histories.get
cloudtoolresults. histories. list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Firebase A/B Testing Admin
Beta
(roles/ firebaseabt.admin
)
Full read/write access to Firebase A/B Testing resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase A/B Testing Viewer
Beta
(roles/ firebaseabt.viewer
)
Read-only access to Firebase A/B Testing resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt. experimentresults. get
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt. projectmetadata. get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Check Admin
(roles/ firebaseappcheck.admin
)
Full management of Firebase App Check.
firebaseappcheck.*
Firebase App Check Token Verifier
(roles/ firebaseappcheck.tokenVerifier
)
Access to token verification capabilities for Firebase App Check.
firebaseappcheck. appCheckTokens. verify
Firebase App Check Viewer
(roles/ firebaseappcheck.viewer
)
Read-only access for Firebase App Check.
firebaseappcheck. appAttestConfig. get
firebaseappcheck. debugTokens. get
firebaseappcheck. deviceCheckConfig. get
firebaseappcheck. playIntegrityConfig. get
firebaseappcheck. recaptchaEnterpriseConfig. get
firebaseappcheck. recaptchaV3Config. get
firebaseappcheck. resourcePolicies. get
firebaseappcheck. safetyNetConfig. get
firebaseappcheck.services.get
Firebase App Distribution Admin
(roles/ firebaseappdistro.admin
)
Full read/write access to Firebase App Distribution resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Distribution Viewer
(roles/ firebaseappdistro.viewer
)
Read-only access to Firebase App Distribution resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.groups.list
firebaseappdistro. releases. list
firebaseappdistro.testers.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Authentication Admin
(roles/ firebaseauth.admin
)
Full read/write access to Firebase Authentication resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Authentication Viewer
(roles/ firebaseauth.viewer
)
Read-only access to Firebase Authentication resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.configs.get
firebaseauth.users.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crashlytics Admin
(roles/ firebasecrashlytics.admin
)
Full read/write access to Firebase Crashlytics resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crashlytics Viewer
(roles/ firebasecrashlytics.viewer
)
Read-only access to Firebase Crashlytics resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics. issues. list
firebasecrashlytics. sessions. get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Realtime Database Admin
(roles/ firebasedatabase.admin
)
Full read/write access to Firebase Realtime Database resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Realtime Database Viewer
(roles/ firebasedatabase.viewer
)
Read-only access to Firebase Realtime Database resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.instances.get
firebasedatabase. instances. list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Dynamic Links Admin
(roles/ firebasedynamiclinks.admin
)
Full read/write access to Firebase Dynamic Links resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Dynamic Links Viewer
(roles/ firebasedynamiclinks.viewer
)
Read-only access to Firebase Dynamic Links resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks. destinations. list
firebasedynamiclinks. domains. get
firebasedynamiclinks. domains. list
firebasedynamiclinks.links.get
firebasedynamiclinks. links. list
firebasedynamiclinks.stats.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Developer
Beta
(roles/ firebaseextensions.developer
)
View, create, and delete Firebase Extensions Instances and Extensions Versions, and update Extensions Instances
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Viewer
Beta
(roles/ firebaseextensions.viewer
)
Viewer of Firebase Extensions Instances
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Publisher - Extensions Admin
Beta
(roles/ firebaseextensionspublisher.extensionsAdmin
)
Fully manage Firebase Extensions
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseextensionspublisher.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Publisher - Extensions Viewer
Beta
(roles/ firebaseextensionspublisher.extensionsViewer
)
View Firebase Extensions
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseextensionspublisher. extensions. get
firebaseextensionspublisher. extensions. list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Hosting Admin
(roles/ firebasehosting.admin
)
Full read/write access to Firebase Hosting resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Hosting Viewer
(roles/ firebasehosting.viewer
)
Read-only access to Firebase Hosting resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.sites.get
firebasehosting.sites.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase In-App Messaging Admin
Beta
(roles/ firebaseinappmessaging.admin
)
Full read/write access to Firebase In-App Messaging resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase In-App Messaging Viewer
Beta
(roles/ firebaseinappmessaging.viewer
)
Read-only access to Firebase In-App Messaging resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging. campaigns. get
firebaseinappmessaging. campaigns. list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Messaging Campaigns Admin
Beta
(roles/ firebasemessagingcampaigns.admin
)
Full management of Firebase Messaging Campaigns.
firebasemessagingcampaigns.*
Firebase Messaging Campaigns Viewer
Beta
(roles/ firebasemessagingcampaigns.viewer
)
Read-only access for Firebase Messaging Campaigns.
firebasemessagingcampaigns. campaigns. get
firebasemessagingcampaigns. campaigns. list
Firebase ML Kit Admin
Beta
(roles/ firebaseml.admin
)
Full read/write access to Firebase ML Kit resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase ML Kit Viewer
Beta
(roles/ firebaseml.viewer
)
Read-only access to Firebase ML Kit resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Cloud Messaging Admin
(roles/ firebasenotifications.admin
)
Full read/write access to Firebase Cloud Messaging resources.
fcmdata.deliverydata.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Cloud Messaging Viewer
(roles/ firebasenotifications.viewer
)
Read-only access to Firebase Cloud Messaging resources.
fcmdata.deliverydata.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications. messages. get
firebasenotifications. messages. list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ firebaseperformance.admin
)
Full access to firebaseperformance resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ firebaseperformance.viewer
)
Read-only access to firebaseperformance resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.data.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Rules Admin
(roles/ firebaserules.admin
)
Full management of Firebase Rules.
firebaserules.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Rules System
(roles/ firebaserules.system
)
Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics.
datastore.databases.get
datastore.entities.*
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Firebase Rules Viewer
(roles/ firebaserules.viewer
)
Read-only access on all resources with the ability to test Rulesets.
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Storage for Firebase Admin
Beta
(roles/ firebasestorage.admin
)
Full management of Cloud Storage for Firebase.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasestorage.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Storage for Firebase Viewer
Beta
(roles/ firebasestorage.viewer
)
Read-only access for Cloud Storage for Firebase.
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage. defaultBucket. get
resourcemanager.projects.get
resourcemanager.projects.list
Fleet Engine roles
Permissions
Fleet Engine Consumer SDK User
(roles/ fleetengine.consumerSdkUser
)
Limited read access to Fleet Engine resources
fleetengine.trips.get
fleetengine.vehicles.get
fleetengine.vehicles.search
fleetengine. vehicles. searchFuzzed
Fleet Engine Delivery Admin
(roles/ fleetengine.deliveryAdmin
)
Full access to Fleet Engine Delivery resources.
fleetengine.deliveryvehicles.*
fleetengine.tasks.*
fleetengine.tasktrackinginfo.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Fleet Engine Delivery Consumer User
(roles/ fleetengine.deliveryConsumer
)
Limited read access to Fleet Engine Delivery resources
fleetengine. tasks. searchWithTrackingId
fleetengine. tasktrackinginfo. get
Fleet Engine Delivery Fleet Reader User
(roles/ fleetengine.deliveryFleetReader
)
Grants read access to all Fleet Engine Delivery resources
fleetengine. deliveryvehicles. get
fleetengine. deliveryvehicles. list
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine. tasks. searchWithTrackingId
fleetengine. tasktrackinginfo. get
Fleet Engine Delivery Super User
(roles/ fleetengine.deliverySuperUser
)
Full access to Fleet Engine DeliveryVehicles and Tasks resources.
fleetengine. deliveryvehicles. create
fleetengine. deliveryvehicles. get
fleetengine. deliveryvehicles. list
fleetengine. deliveryvehicles. update
fleetengine. deliveryvehicles. updateLocation
fleetengine. deliveryvehicles. updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine. tasks. searchWithTrackingId
fleetengine.tasks.update
fleetengine. tasktrackinginfo. get
resourcemanager.projects.get
resourcemanager.projects.list
Fleet Engine Delivery Trusted Driver User
(roles/ fleetengine.deliveryTrustedDriver
)
Read and write access to Fleet Engine Delivery resources
fleetengine. deliveryvehicles. create
fleetengine. deliveryvehicles. get
fleetengine. deliveryvehicles. update
fleetengine. deliveryvehicles. updateLocation
fleetengine. deliveryvehicles. updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.update
Fleet Engine Delivery Untrusted Driver User
(roles/ fleetengine.deliveryUntrustedDriver
)
Limited write access to Fleet Engine Delivery Vehicle resources
fleetengine. deliveryvehicles. get
fleetengine. deliveryvehicles. updateLocation
Fleet Engine Driver SDK User
(roles/ fleetengine.driverSdkUser
)
Read and limited update access to Fleet Engine resources
fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.vehicles.get
fleetengine. vehicles. updateLocation
Fleet Engine On-Demand Admin
(roles/ fleetengine.ondemandAdmin
)
Full access to Vehicle and Trip resources.
fleetengine.trips.*
fleetengine.vehicles.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Fleet Engine Service Super User
(roles/ fleetengine.serviceSuperUser
)
Full access to all Fleet Engine resources.
fleetengine.trips.create
fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.trips.updateState
fleetengine.vehicles.create
fleetengine.vehicles.get
fleetengine.vehicles.list
fleetengine.vehicles.search
fleetengine. vehicles. searchFuzzed
fleetengine.vehicles.update
fleetengine. vehicles. updateLocation
resourcemanager.projects.get
resourcemanager.projects.list
Genomics roles
Permissions
Genomics Admin
(roles/ genomics.admin
)
Full access to genomics datasets and operations.
genomics.*
Genomics Editor
(roles/ genomics.editor
)
Access to read and edit genomics datasets and operations.
genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*
Genomics Pipelines Runner
(roles/ genomics.pipelinesRunner
)
Full access to operate on genomics pipelines.
genomics.operations.*
Genomics Viewer
(roles/ genomics.viewer
)
Access to view genomics datasets and operations.
genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list
GKE Hub roles
Permissions
Fleet Admin (formerly GKE Hub Admin)
(roles/ gkehub.admin
)
Full access to Fleet resources.
gkehub.features.*
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.*
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Connect Agent
(roles/ gkehub.connect
)
Ability to set up GKE Connect between external clusters and Google.
gkehub.endpoints.connect
Fleet Editor (formerly GKE Hub Editor)
(roles/ gkehub.editor
)
Edit access to Fleet resources.
gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.update
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.create
gkehub.memberships.delete
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub.memberships.update
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub. scopes. listBoundMemberships
gkehub.scopes.update
resourcemanager.projects.get
resourcemanager.projects.list
Connect Gateway Admin
(roles/ gkehub.gatewayAdmin
)
Full access to Connect Gateway.
gkehub.gateway.*
gkehub.memberships.get
serviceusage.services.get
Connect Gateway Editor
(roles/ gkehub.gatewayEditor
)
Edit access to Connect Gateway.
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
serviceusage.services.get
Connect Gateway Reader
(roles/ gkehub.gatewayReader
)
Read-only access to Connect Gateway.
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.memberships.get
serviceusage.services.get
Fleet Scope Admin
(roles/ gkehub.scopeAdmin
)
Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings.
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.*
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub. scopes. listBoundMemberships
gkehub.scopes.setIamPolicy
Fleet Scope Editor
(roles/ gkehub.scopeEditor
)
Edit access to Namespaces under Fleet Scopes.
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub. scopes. listBoundMemberships
Fleet Project-level Scope Editor
(roles/ gkehub.scopeEditorProjectLevel
)
Role for project-level permissions for editor of Fleet Scopes.
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
gkehub.operations.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Fleet Scope Viewer
(roles/ gkehub.scopeViewer
)
Viewer of Fleet Scopes and associated resources.
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub. scopes. listBoundMemberships
Fleet Project-level Scope Viewer
(roles/ gkehub.scopeViewerProjectLevel
)
Role for project-level permissions for viewer of Fleet Scopes.
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.memberships.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Fleet Viewer (formerly GKE Hub Viewer)
(roles/ gkehub.viewer
)
Read-only access to Fleets and related resources.
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub. scopes. listBoundMemberships
resourcemanager.projects.get
resourcemanager.projects.list
GKE on-prem roles
Permissions
GKE on-prem Admin
(roles/ gkeonprem.admin
)
Full access to GKE on-prem all resources.
gkeonprem.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE on-prem Viewer
(roles/ gkeonprem.viewer
)
Read-only access to GKE on-prem all resources.
gkeonprem. bareMetalAdminClusters. connect
gkeonprem. bareMetalAdminClusters. get
gkeonprem. bareMetalAdminClusters. getIamPolicy
gkeonprem. bareMetalAdminClusters. list
gkeonprem. bareMetalAdminClusters. queryVersionConfig
gkeonprem. bareMetalClusters. get
gkeonprem. bareMetalClusters. getIamPolicy
gkeonprem. bareMetalClusters. list
gkeonprem. bareMetalClusters. queryVersionConfig
gkeonprem. bareMetalNodePools. get
gkeonprem. bareMetalNodePools. getIamPolicy
gkeonprem. bareMetalNodePools. list
gkeonprem.locations.*
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem. vmwareAdminClusters. connect
gkeonprem. vmwareAdminClusters. get
gkeonprem. vmwareAdminClusters. getIamPolicy
gkeonprem. vmwareAdminClusters. list
gkeonprem.vmwareClusters.get
gkeonprem. vmwareClusters. getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem. vmwareClusters. queryVersionConfig
gkeonprem.vmwareNodePools.get
gkeonprem. vmwareNodePools. getIamPolicy
gkeonprem.vmwareNodePools.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons roles
Permissions
Google Workspace Add-ons Developer
(roles/ gsuiteaddons.developer
)
Full access to Google Workspace Add-ons resources
gsuiteaddons.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons Reader
(roles/ gsuiteaddons.reader
)
Read-only access to Google Workspace Add-ons resources
gsuiteaddons. authorizations. get
gsuiteaddons.deployments.get
gsuiteaddons.deployments.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons Tester
(roles/ gsuiteaddons.tester
)
Testing execution access to Google Workspace Add-ons resources
gsuiteaddons. deployments. execute
gsuiteaddons. deployments. install
gsuiteaddons. deployments. installStatus
gsuiteaddons. deployments. uninstall
resourcemanager.projects.get
resourcemanager.projects.list
IAM roles
Permissions
Deny Admin
(roles/ iam.denyAdmin
)
Deny admin role, with permissions to read and modify deny policies
Lowest-level resources where you can grant this role:
cloudasset.assets.listResource
iam.denypolicies.*
policyanalyzer. resourceAuthorizationActivities. query
policysimulator. accessPolicySimulationResults. list
policysimulator. accessPolicySimulations.*
Deny Reviewer
(roles/ iam.denyReviewer
)
Deny Reviewer role, with permissions to read deny policies
Lowest-level resources where you can grant this role:
iam.denypolicies.get
iam.denypolicies.list
IAM Operation Viewer
Beta
(roles/ iam.operationViewer
)
Operation user role, with permissions to view and list operations in IAM v3
iam.operations.get
Principal Access Boundary Policy Admin
Beta
(roles/ iam.principalAccessBoundaryAdmin
)
Principal Access Boundary admin role, with permissions to read and modify principal access boundary policies, and to bind and unbind principal access boundary policies to targets. Also includes permissions to read principal authorization activities analysis and permissions to list assets from Cloud Asset Inventory
cloudasset.assets.listResource
cloudasset. assets. searchAllResources
iam. principalaccessboundarypolicies.*
Principal Access Boundary Policy User
Beta
(roles/ iam.principalAccessBoundaryUser
)
Principal Access Boundary Policies user role, with permissions to view principal access boundary policies, and to bind and unbind principal access boundary policies to targets
iam. principalaccessboundarypolicies. bind
iam. principalaccessboundarypolicies. get
iam. principalaccessboundarypolicies. list
iam. principalaccessboundarypolicies. unbind
Principal Access Boundary Policy Viewer
Beta
(roles/ iam.principalAccessBoundaryViewer
)
Principal Access Boundary Reviewer role, with permissions to read principal access boundary policies and view associated policy bindings
iam. principalaccessboundarypolicies. get
iam. principalaccessboundarypolicies. list
iam. principalaccessboundarypolicies. searchPolicyBindings
Security Admin
(roles/ iam.securityAdmin
)
Security admin role, with permissions to get and set any IAM policy.
accessapproval.requests.list
accesscontextmanager. accessLevels. list
accesscontextmanager. authorizedOrgsDescs. list
accesscontextmanager. gcpUserAccessBindings. list
accesscontextmanager. policies. getIamPolicy
accesscontextmanager. policies. list
accesscontextmanager. policies. setIamPolicy
accesscontextmanager. servicePerimeters. list
actions.agentVersions.list
advisorynotifications. notifications.*
aiplatform.agentExamples.list
aiplatform.agents.list
aiplatform. annotationSpecs. list
aiplatform.annotations.list
aiplatform.apps.list
aiplatform.artifacts.list
aiplatform. batchPredictionJobs. list
aiplatform.cachedContents.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform. dataLabelingJobs. list
aiplatform. datasetVersions. list
aiplatform.datasets.list
aiplatform. deploymentResourcePools. list
aiplatform. edgeDeploymentJobs. list
aiplatform.edgeDevices.list
aiplatform. endpoints. getIamPolicy
aiplatform.endpoints.list
aiplatform. endpoints. setIamPolicy
aiplatform. entityTypes. getIamPolicy
aiplatform.entityTypes.list
aiplatform. entityTypes. setIamPolicy
aiplatform.executions.list
aiplatform.extensions.list
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. getIamPolicy
aiplatform. featureOnlineStores. list
aiplatform. featureOnlineStores. setIamPolicy
aiplatform. featureViewSyncs. list
aiplatform. featureViews. getIamPolicy
aiplatform.featureViews.list
aiplatform. featureViews. setIamPolicy
aiplatform.features.list
aiplatform. featurestores. getIamPolicy
aiplatform.featurestores.list
aiplatform. featurestores. setIamPolicy
aiplatform. humanInTheLoops. list
aiplatform. hyperparameterTuningJobs. list
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform. metadataSchemas. list
aiplatform.metadataStores.list
aiplatform. modelDeploymentMonitoringJobs. list
aiplatform. modelEvaluationSlices. list
aiplatform. modelEvaluations. list
aiplatform. modelMonitoringJobs. list
aiplatform.modelMonitors.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform. nasTrialDetails. list
aiplatform. notebookExecutionJobs. list
aiplatform. notebookRuntimeTemplates. getIamPolicy
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimeTemplates. setIamPolicy
aiplatform. notebookRuntimes. list
aiplatform.operations.list
aiplatform. persistentResources. list
aiplatform.pipelineJobs.list
aiplatform. reasoningEngines. list
aiplatform.schedules.list
aiplatform.sessions.list
aiplatform. specialistPools. list
aiplatform.studies.list
aiplatform. tensorboardExperiments. list
aiplatform. tensorboardRuns. list
aiplatform. tensorboardTimeSeries. list
aiplatform.tensorboards.list
aiplatform. trainingPipelines. list
aiplatform.trials.list
aiplatform.tuningJobs.list
alloydb.backups.list
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.list
alloydb.locations.list
alloydb.operations.list
alloydb. supportedDatabaseFlags. list
alloydb.users.list
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub. dataExchanges. setIamPolicy
analyticshub. listings. getIamPolicy
analyticshub.listings.list
analyticshub. listings. setIamPolicy
analyticshub. subscriptions. list
apigateway. apiconfigs. getIamPolicy
apigateway.apiconfigs.list
apigateway. apiconfigs. setIamPolicy
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway. gateways. getIamPolicy
apigateway.gateways.list
apigateway. gateways. setIamPolicy
apigateway.locations.list
apigateway.operations.list
apigee. apiproductattributes. list
apigee.apiproducts.list
apigee.appgroupapps.list
apigee.appgroups.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee. deployments. getIamPolicy
apigee.deployments.list
apigee. deployments. setIamPolicy
apigee. developerappattributes. list
apigee.developerapps.list
apigee. developerattributes. list
apigee.developers.list
apigee. developersubscriptions. list
apigee. endpointattachments. list
apigee. envgroupattachments. list
apigee.envgroups.list
apigee. environments. getIamPolicy
apigee.environments.list
apigee. environments. setIamPolicy
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee. hostsecurityreports. list
apigee. instanceattachments. list
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.nataddresses.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityActions.list
apigee.securityFeedback.list
apigee.securityIncidents.list
apigee.securityProfiles.list
apigee.securityProfilesV2.list
apigee.securityreports.list
apigee. sharedflowrevisions. list
apigee.sharedflows.list
apigee.targetservers.list
apigee. traceconfigoverrides. list
apigee.tracesessions.list
apigeeconnect.connections.list
apigeeregistry. apis. getIamPolicy
apigeeregistry.apis.list
apigeeregistry. apis. setIamPolicy
apigeeregistry. artifacts. getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry. artifacts. setIamPolicy
apigeeregistry. deployments. list
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry. specs. getIamPolicy
apigeeregistry.specs.list
apigeeregistry. specs. setIamPolicy
apigeeregistry. versions. getIamPolicy
apigeeregistry.versions.list
apigeeregistry. versions. setIamPolicy
apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.apis.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub. hostProjectRegistrations. list
apihub.llmEnablements.list
apihub.operations.list
apihub.plugins.list
apihub. runTimeProjectAttachments. list
apihub.specs.list
apihub.versions.list
apikeys.keys.list
apim.apiObservations.list
apim.apiOperations.list
apim.locations.list
apim.observationJobs.list
apim.observationSources.list
apim.operations.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
apphub. applications. getIamPolicy
apphub.applications.list
apphub. applications. setIamPolicy
apphub.discoveredServices.list
apphub. discoveredWorkloads. list
apphub.locations.list
apphub.operations.list
apphub. serviceProjectAttachments. list
apphub.services.list
apphub.workloads.list
applianceactivation. rttCommands. list
artifactregistry. attachments. list
artifactregistry. dockerimages. list
artifactregistry.files.list
artifactregistry. locations. list
artifactregistry. mavenartifacts. list
artifactregistry. npmpackages. list
artifactregistry.packages.list
artifactregistry. pythonpackages. list
artifactregistry. repositories. getIamPolicy
artifactregistry. repositories. list
artifactregistry. repositories. setIamPolicy
artifactregistry.rules.list
artifactregistry.tags.list
artifactregistry.versions.list
assuredoss.locations.list
assuredoss.metadata.list
assuredoss.operations.list
assuredworkloads. operations. list
assuredworkloads.updates.list
assuredworkloads. violations. list
assuredworkloads.workload.list
auditmanager.auditReports.list
auditmanager. controlReports. list
auditmanager.controls.list
auditmanager. customComplianceFrameworks. list
auditmanager.findings.list
auditmanager.locations.list
auditmanager.operations.list
auditmanager. resourceEnrollmentStatuses. list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.files.list
automl. humanAnnotationTasks. list
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations. apiKeys. list
automlrecommendations. catalogItems. list
automlrecommendations. catalogs. list
automlrecommendations. eventStores. list
automlrecommendations. events. list
automlrecommendations. placements. list
automlrecommendations. recommendations. list
autoscaling.sites.getIamPolicy
autoscaling.sites.setIamPolicy
backupdr. backupPlanAssociations. list
backupdr.backupPlans.list
backupdr.backupVaults.list
backupdr.bvbackups.list
backupdr.bvdataSources.list
backupdr.locations.list
backupdr. managementServers. getIamPolicy
backupdr. managementServers. list
backupdr. managementServers. setIamPolicy
backupdr.operations.list
backupdr. resourceBackupConfigs. list
baremetalsolution. instancequotas. list
baremetalsolution. instances. list
baremetalsolution.luns.list
baremetalsolution. maintenanceevents. list
baremetalsolution. networkquotas. list
baremetalsolution. networks. list
baremetalsolution. nfsshares. list
baremetalsolution. osimages. list
baremetalsolution.pods.list
baremetalsolution. procurements. list
baremetalsolution.skus.list
baremetalsolution. snapshotschedulepolicies. list
baremetalsolution.sshKeys.list
baremetalsolution. storageaggregatepools. list
baremetalsolution. volumequotas. list
baremetalsolution.volumes.list
baremetalsolution. volumesnapshots. list
batch.jobs.list
batch.locations.list
batch.operations.list
batch.resourceAllowances.list
batch.tasks.list
beyondcorp. appConnections. getIamPolicy
beyondcorp.appConnections.list
beyondcorp. appConnections. setIamPolicy
beyondcorp. appConnectors. getIamPolicy
beyondcorp.appConnectors.list
beyondcorp. appConnectors. setIamPolicy
beyondcorp. appGateways. getIamPolicy
beyondcorp.appGateways.list
beyondcorp. appGateways. setIamPolicy
beyondcorp. clientConnectorServices. getIamPolicy
beyondcorp. clientConnectorServices. list
beyondcorp. clientConnectorServices. setIamPolicy
beyondcorp. clientGateways. getIamPolicy
beyondcorp.clientGateways.list
beyondcorp. clientGateways. setIamPolicy
beyondcorp.locations.list
beyondcorp.operations.list
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.list
beyondcorp.subscriptions.list
biglake.catalogs.list
biglake.databases.list
biglake.locks.list
biglake.tables.list
bigquery. capacityCommitments. list
bigquery. connections. getIamPolicy
bigquery.connections.list
bigquery. connections. setIamPolicy
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery. reservationAssignments. list
bigquery.reservations.list
bigquery.routines.list
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. setIamPolicy
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy
bigquerymigration. subtasks. list
bigquerymigration. workflows. list
bigtable.appProfiles.list
bigtable. authorizedViews. getIamPolicy
bigtable.authorizedViews.list
bigtable. authorizedViews. setIamPolicy
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.setIamPolicy
bigtable.clusters.list
bigtable.hotTablets.list
bigtable. instances. getIamPolicy
bigtable.instances.list
bigtable. instances. setIamPolicy
bigtable.keyvisualizer.list
bigtable.locations.list
bigtable.tables.getIamPolicy
bigtable.tables.list
bigtable.tables.setIamPolicy
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.anomalies.list
billing. billingAccountPrices. list
billing. billingAccountServices. list
billing. billingAccountSkuGroupSkus. list
billing. billingAccountSkuGroups. list
billing. billingAccountSkus. list
billing.budgets.list
billing.credits.list
billing. resourceAssociations. list
billing.subscriptions.list
binaryauthorization. attestors. getIamPolicy
binaryauthorization. attestors. list
binaryauthorization. attestors. setIamPolicy
binaryauthorization. continuousValidationConfig. getIamPolicy
binaryauthorization. continuousValidationConfig. setIamPolicy
binaryauthorization. platformPolicies. list
binaryauthorization. policy. getIamPolicy
binaryauthorization. policy. setIamPolicy
blockchainnodeengine. blockchainNodes. list
blockchainnodeengine. locations. list
blockchainnodeengine. operations. list
blockchainvalidatormanager. blockchainValidatorConfigs. list
blockchainvalidatormanager. locations. list
blockchainvalidatormanager. operations. list
capacityplanner.forecasts.list
capacityplanner. usageHistories. list
carestudio.patients.list
certificatemanager. certissuanceconfigs. list
certificatemanager. certmapentries. list
certificatemanager. certmaps. list
certificatemanager.certs.list
certificatemanager. dnsauthorizations. list
certificatemanager. locations. list
certificatemanager. operations. list
certificatemanager. trustconfigs. list
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.collectors.list
chronicle.conversations.list
chronicle. curatedRuleSetCategories. list
chronicle. curatedRuleSetDeployments. list
chronicle.curatedRuleSets.list
chronicle.curatedRules.list
chronicle.dashboardCharts.list
chronicle. dashboardQueries. list
chronicle.dashboards.list
chronicle. dataAccessLabels. list
chronicle. dataAccessScopes. list
chronicle.dataTableRows.list
chronicle.dataTables.list
chronicle.dataTaps.list
chronicle. enrichmentControls. list
chronicle.entities.list
chronicle. errorNotificationConfigs. list
chronicle. extensionValidationReports. list
chronicle. feedSourceTypeSchemas. list
chronicle.feeds.list
chronicle. findingsRefinementDeployments. list
chronicle. findingsRefinements. list
chronicle.forwarders.list
chronicle. ingestionLogLabels. list
chronicle. ingestionLogNamespaces. list
chronicle.iocMatches.list
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.list
chronicle.messages.list
chronicle. nativeDashboards. list
chronicle.operations.list
chronicle. parserExtensions. list
chronicle.parsers.list
chronicle.parsingErrors.list
chronicle.referenceLists.list
chronicle.retrohunts.list
chronicle.ruleDeployments.list
chronicle. ruleExecutionErrors. list
chronicle.rules.list
chronicle.searchQueries.list
chronicle. validationErrors. list
chronicle.watchlists.list
chroniclesm. gcpAssociations. list
clientauthconfig.brands.list
clientauthconfig.clients.list
cloud.locations.list
cloudaicompanion. codeRepositoryIndexes. list
cloudaicompanion. operations. list
cloudaicompanion. repositoryGroups. getIamPolicy
cloudaicompanion. repositoryGroups. list
cloudaicompanion. repositoryGroups. setIamPolicy
cloudasset. assets. searchAllResources
cloudasset.feeds.list
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild. connections. getIamPolicy
cloudbuild.connections.list
cloudbuild. connections. setIamPolicy
cloudbuild.integrations.list
cloudbuild.operations.list
cloudbuild.repositories.list
cloudbuild.workerpools.list
cloudcontrolspartner. accessapprovalrequests. list
cloudcontrolspartner. customers. list
cloudcontrolspartner. violations. list
cloudcontrolspartner. workloads. list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy. automationRuns. list
clouddeploy.automations.list
clouddeploy. customTargetTypes. getIamPolicy
clouddeploy. customTargetTypes. list
clouddeploy. customTargetTypes. setIamPolicy
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy. deliveryPipelines. list
clouddeploy. deliveryPipelines. setIamPolicy
clouddeploy. deployPolicies. list
clouddeploy.jobRuns.list
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy. targets. getIamPolicy
clouddeploy.targets.list
clouddeploy. targets. setIamPolicy
cloudfunctions. functions. getIamPolicy
cloudfunctions.functions.list
cloudfunctions. functions. setIamPolicy
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudjobdiscovery. companies. list
cloudkms. cryptoKeyVersions. list
cloudkms. cryptoKeys. getIamPolicy
cloudkms.cryptoKeys.list
cloudkms. cryptoKeys. setIamPolicy
cloudkms. ekmConfigs. getIamPolicy
cloudkms. ekmConfigs. setIamPolicy
cloudkms. ekmConnections. getIamPolicy
cloudkms.ekmConnections.list
cloudkms. ekmConnections. setIamPolicy
cloudkms. importJobs. getIamPolicy
cloudkms.importJobs.list
cloudkms. importJobs. setIamPolicy
cloudkms.keyHandles.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.setIamPolicy
cloudkms.locations.list
cloudnotifications. activities. list
cloudonefs.isiloncloud. com/clusters. list
cloudonefs.isiloncloud. com/fileshares. list
cloudprivatecatalogproducer. associations. list
cloudprivatecatalogproducer. catalogAssociations. list
cloudprivatecatalogproducer. catalogs. getIamPolicy
cloudprivatecatalogproducer. catalogs. list
cloudprivatecatalogproducer. catalogs. setIamPolicy
cloudprivatecatalogproducer. producerCatalogs. getIamPolicy
cloudprivatecatalogproducer. producerCatalogs. list
cloudprivatecatalogproducer. producerCatalogs. setIamPolicy
cloudprivatecatalogproducer. products. getIamPolicy
cloudprivatecatalogproducer. products. list
cloudprivatecatalogproducer. products. setIamPolicy
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scans. list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport. accounts. getIamPolicy
cloudsupport.accounts.list
cloudsupport. accounts. setIamPolicy
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.setIamPolicy
cloudtasks.tasks.list
cloudtestservice. devicesession. list
cloudtoolresults. executions. list
cloudtoolresults. histories. list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traceScopes.list
cloudtrace.traces.list
cloudtranslate. adaptiveMtDatasets. list
cloudtranslate. adaptiveMtFiles. list
cloudtranslate. adaptiveMtSentences. list
cloudtranslate. customModels. list
cloudtranslate.datasets.list
cloudtranslate.glossaries.list
cloudtranslate. glossaryentries. list
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp. com/activeDirectories. list
cloudvolumesgcp-api.netapp. com/ipRanges. list
cloudvolumesgcp-api.netapp. com/jobs. list
cloudvolumesgcp-api.netapp. com/regions. list
cloudvolumesgcp-api.netapp. com/serviceLevels. list
cloudvolumesgcp-api.netapp. com/snapshots. list
cloudvolumesgcp-api.netapp. com/volumereplication. list
cloudvolumesgcp-api.netapp. com/volumes. list
commerceagreementpublishing. agreements. list
commerceagreementpublishing. documents. list
commercebusinessenablement. operations. list
commercebusinessenablement. partnerAccounts. list
commercebusinessenablement. refunds. list
commercebusinessenablement. resellerDiscountOffers. list
commercebusinessenablement. resellerPrivateOfferPlans. list
commercebusinessenablement. resellerRestrictions. list
commerceoffercatalog. agreements. list
commerceoffercatalog. documents. list
commerceorggovernance. collectionRequestApprovals. list
commerceorggovernance. collections. list
commerceorggovernance. populateCollectionJobs. list
commerceorggovernance. services. list
commerceprice.events.list
commerceprice. privateoffers. list
composer.dags.list
composer.environments.list
composer.imageversions.list
composer.operations.list
composer. userworkloadsconfigmaps. list
composer. userworkloadssecrets. list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. setIamPolicy
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. setIamPolicy
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setIamPolicy
compute. externalVpnGateways. list
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. setIamPolicy
compute.firewalls.list
compute.forwardingRules.list
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute. futureReservations. setIamPolicy
compute.globalAddresses.list
compute. globalForwardingRules. list
compute. globalNetworkEndpointGroups. list
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalOperations. setIamPolicy
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.images.setIamPolicy
compute. instanceGroupManagers. list
compute.instanceGroups.list
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute. instanceTemplates. setIamPolicy
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. instantSnapshots. setIamPolicy
compute. interconnectAttachments. list
compute. interconnectLocations. list
compute. interconnectRemoteLocations. list
compute.interconnects.list
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute. licenseCodes. setIamPolicy
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute. machineImages. getIamPolicy
compute.machineImages.list
compute. machineImages. setIamPolicy
compute.machineTypes.list
compute.multiMig.list
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. setIamPolicy
compute. networkEdgeSecurityServices. list
compute. networkEndpointGroups. list
compute.networkProfiles.list
compute.networks.list
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute. nodeGroups. setIamPolicy
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute. nodeTemplates. setIamPolicy
compute.nodeTypes.list
compute.packetMirrorings.list
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. list
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. setIamPolicy
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. setIamPolicy
compute. regionHealthCheckServices. list
compute. regionHealthChecks. list
compute. regionNetworkEndpointGroups. list
compute. regionNotificationEndpoints. list
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionOperations. setIamPolicy
compute. regionSecurityPolicies. list
compute. regionSslCertificates. list
compute.regionSslPolicies.list
compute. regionTargetHttpProxies. list
compute. regionTargetHttpsProxies. list
compute. regionTargetTcpProxies. list
compute.regionUrlMaps.list
compute.regions.list
compute.reservationBlocks.list
compute.reservations.list
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute. resourcePolicies. setIamPolicy
compute.routers.list
compute.routes.list
compute.securityPolicies.list
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. setIamPolicy
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.sslCertificates.list
compute.sslPolicies.list
compute. storagePools. getIamPolicy
compute.storagePools.list
compute. storagePools. setIamPolicy
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. setIamPolicy
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute. targetHttpsProxies. list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute. zoneOperations. setIamPolicy
compute.zones.list
confidentialcomputing. locations. list
config. deployments. getIamPolicy
config.deployments.list
config. deployments. setIamPolicy
config.locations.list
config.operations.list
config.previews.list
config.resources.list
config.revisions.list
config.terraformversions.list
configdelivery. fleetPackages. list
configdelivery.locations.list
configdelivery.operations.list
configdelivery.releases.list
configdelivery. resourceBundles. list
configdelivery.rollouts.list
connectors.actions.list
connectors. connections. getIamPolicy
connectors.connections.list
connectors. connections. setIamPolicy
connectors.connectors.list
connectors. customConnectorVersions. getIamPolicy
connectors. customConnectorVersions. list
connectors. customConnectorVersions. setIamPolicy
connectors. customConnectors. getIamPolicy
connectors. customConnectors. list
connectors. customConnectors. setIamPolicy
connectors. endpointAttachments. getIamPolicy
connectors. endpointAttachments. list
connectors. endpointAttachments. setIamPolicy
connectors.entities.list
connectors.entityTypes.list
connectors. eventSubscriptions. list
connectors.eventtypes.list
connectors.locations.list
connectors. managedZones. getIamPolicy
connectors.managedZones.list
connectors. managedZones. setIamPolicy
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement. accounts. list
consumerprocurement. consents. list
consumerprocurement. entitlements. list
consumerprocurement. events. list
consumerprocurement. freeTrials. list
consumerprocurement. orderAttributions. list
consumerprocurement. orders. list
contactcenteraiplatform. contactCenters. list
contactcenteraiplatform. locations. list
contactcenteraiplatform. operations. list
contactcenterinsights. analyses. list
contactcenterinsights. analysisRules. list
contactcenterinsights. conversations. list
contactcenterinsights. faqEntries. list
contactcenterinsights. faqModels. list
contactcenterinsights. feedbackLabels. list
contactcenterinsights. issueModels. list
contactcenterinsights. issues. list
contactcenterinsights. operations. list
contactcenterinsights. phraseMatchers. list
contactcenterinsights. qaQuestions. list
contactcenterinsights. qaScorecardRevisions. list
contactcenterinsights. qaScorecards. list
contactcenterinsights. views. list
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container. certificateSigningRequests. list
container. clusterRoleBindings. list
container.clusterRoles.list
container.clusters.list
container. componentStatuses. list
container.configMaps.list
container. controllerRevisions. list
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container. customResourceDefinitions. list
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container. horizontalPodAutoscalers. list
container.ingresses.list
container. initializerConfigurations. list
container.jobs.list
container.leases.list
container.limitRanges.list
container. localSubjectAccessReviews. list
container. managedCertificates. list
container. mutatingWebhookConfigurations. list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container. persistentVolumeClaims. list
container. persistentVolumes. list
container.petSets.list
container. podDisruptionBudgets. list
container.podPresets.list
container. podSecurityPolicies. list
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container. replicationControllers. list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container. selfSubjectAccessReviews. list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container. storageVersionMigrations. list
container. subjectAccessReviews. list
container. thirdPartyObjects. list
container. thirdPartyResources. list
container.updateInfos.list
container. validatingWebhookConfigurations. list
container. volumeAttachments. list
container. volumeSnapshotClasses. list
container. volumeSnapshotContents. list
container.volumeSnapshots.list
containeranalysis. notes. getIamPolicy
containeranalysis.notes.list
containeranalysis. notes. setIamPolicy
containeranalysis. occurrences. getIamPolicy
containeranalysis. occurrences. list
containeranalysis. occurrences. setIamPolicy
containersecurity. clusterSummaries. list
containersecurity. findings. list
containersecurity. locations. list
contentwarehouse.corpora.list
contentwarehouse. documentSchemas. list
contentwarehouse. documents. getIamPolicy
contentwarehouse. documents. list
contentwarehouse. documents. setIamPolicy
contentwarehouse.ruleSets.list
contentwarehouse. synonymSets. list
databasecenter.*
databaseinsights. locations. list
datacatalog. categories. getIamPolicy
datacatalog. categories. setIamPolicy
datacatalog. entries. getIamPolicy
datacatalog.entries.list
datacatalog. entries. setIamPolicy
datacatalog. entryGroups. getIamPolicy
datacatalog.entryGroups.list
datacatalog. entryGroups. setIamPolicy
datacatalog.operations.list
datacatalog.relationships.list
datacatalog. tagTemplates. getIamPolicy
datacatalog. tagTemplates. setIamPolicy
datacatalog. taxonomies. getIamPolicy
datacatalog.taxonomies.list
datacatalog. taxonomies. setIamPolicy
dataconnectors. connectors. getIamPolicy
dataconnectors.connectors.list
dataconnectors. connectors. setIamPolicy
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.list
dataflow.snapshots.list
dataform. compilationResults. list
dataform.locations.list
dataform.releaseConfigs.list
dataform. repositories. getIamPolicy
dataform.repositories.list
dataform. repositories. setIamPolicy
dataform.workflowConfigs.list
dataform. workflowInvocations. list
dataform. workspaces. getIamPolicy
dataform.workspaces.list
dataform. workspaces. setIamPolicy
datafusion.artifacts.list
datafusion. instances. getIamPolicy
datafusion.instances.list
datafusion. instances. setIamPolicy
datafusion.locations.list
datafusion.operations.list
datafusion. pipelineConnections. list
datafusion.pipelines.list
datafusion.profiles.list
datafusion.secureKeys.list
datalabeling. annotateddatasets. list
datalabeling. annotationspecsets. list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datalineage.events.list
datalineage.processes.list
datalineage.runs.list
datamigration. connectionprofiles. getIamPolicy
datamigration. connectionprofiles. list
datamigration. connectionprofiles. setIamPolicy
datamigration. conversionworkspaces. getIamPolicy
datamigration. conversionworkspaces. list
datamigration. conversionworkspaces. setIamPolicy
datamigration.locations.list
datamigration. mappingrules. getIamPolicy
datamigration. mappingrules. setIamPolicy
datamigration. migrationjobs. getIamPolicy
datamigration. migrationjobs. list
datamigration. migrationjobs. setIamPolicy
datamigration.objects.list
datamigration.operations.list
datamigration. privateconnections. getIamPolicy
datamigration. privateconnections. list
datamigration. privateconnections. setIamPolicy
datapipelines.jobs.list
datapipelines.pipelines.list
dataplex. aspectTypes. getIamPolicy
dataplex.aspectTypes.list
dataplex. aspectTypes. setIamPolicy
dataplex.assetActions.list
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex. dataAttributeBindings. getIamPolicy
dataplex. dataAttributeBindings. list
dataplex. dataAttributeBindings. setIamPolicy
dataplex. dataAttributes. getIamPolicy
dataplex.dataAttributes.list
dataplex. dataAttributes. setIamPolicy
dataplex. dataTaxonomies. getIamPolicy
dataplex.dataTaxonomies.list
dataplex. dataTaxonomies. setIamPolicy
dataplex. datascans. getIamPolicy
dataplex.datascans.list
dataplex. datascans. setIamPolicy
dataplex.encryptionConfig.list
dataplex.entities.list
dataplex.entries.list
dataplex. entryGroups. getIamPolicy
dataplex.entryGroups.list
dataplex. entryGroups. setIamPolicy
dataplex. entryTypes. getIamPolicy
dataplex.entryTypes.list
dataplex. entryTypes. setIamPolicy
dataplex. environments. getIamPolicy
dataplex.environments.list
dataplex. environments. setIamPolicy
dataplex.lakeActions.list
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.locations.list
dataplex.metadataJobs.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.zoneActions.list
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataproc.agents.list
dataproc. autoscalingPolicies. getIamPolicy
dataproc. autoscalingPolicies. list
dataproc. autoscalingPolicies. setIamPolicy
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc. operations. getIamPolicy
dataproc.operations.list
dataproc. operations. setIamPolicy
dataproc.sessionTemplates.list
dataproc.sessions.list
dataproc. workflowTemplates. getIamPolicy
dataproc. workflowTemplates. list
dataproc. workflowTemplates. setIamPolicy
dataprocessing. datasources. list
dataprocessing. featurecontrols. list
dataprocessing. groupcontrols. list
dataprocrm.locations.list
dataprocrm.nodePools.list
dataprocrm.nodes.list
dataprocrm.operations.list
dataprocrm.workloads.list
datastore.backupSchedules.list
datastore.backups.list
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore. keyVisualizerScans. list
datastore.locations.list
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
datastream. connectionProfiles. getIamPolicy
datastream. connectionProfiles. list
datastream. connectionProfiles. setIamPolicy
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream. privateConnections. getIamPolicy
datastream. privateConnections. list
datastream. privateConnections. setIamPolicy
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream. streams. getIamPolicy
datastream.streams.list
datastream. streams. setIamPolicy
datastudio. datasources. getIamPolicy
datastudio. datasources. setIamPolicy
datastudio. reports. getIamPolicy
datastudio. reports. setIamPolicy
datastudio. workspaces. getIamPolicy
datastudio. workspaces. setIamPolicy
deploymentmanager. compositeTypes. list
deploymentmanager. deployments. getIamPolicy
deploymentmanager. deployments. list
deploymentmanager. deployments. setIamPolicy
deploymentmanager. manifests. list
deploymentmanager. operations. list
deploymentmanager. resources. list
deploymentmanager. typeProviders. list
deploymentmanager.types.list
developerconnect. connections. list
developerconnect. gitRepositoryLinks. list
developerconnect. locations. list
developerconnect. operations. list
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow. conversationDatasets. list
dialogflow. conversationModels. list
dialogflow. conversationProfiles. list
dialogflow.conversations.list
dialogflow.deployments.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.examples.list
dialogflow.experiments.list
dialogflow.flows.list
dialogflow.generators.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow. modelEvaluations. list
dialogflow.pages.list
dialogflow.participants.list
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.list
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. list
dialogflow.testcases.list
dialogflow.tools.list
dialogflow. transitionRouteGroups. list
dialogflow.versions.list
dialogflow.webhooks.list
discoveryengine.branches.list
discoveryengine. cmekConfigs. list
discoveryengine. collections. list
discoveryengine.controls.list
discoveryengine. conversations. list
discoveryengine. dataStores. list
discoveryengine.documents.list
discoveryengine.engines.list
discoveryengine. evaluations. list
discoveryengine.models.list
discoveryengine. operations. list
discoveryengine. sampleQueries. list
discoveryengine. sampleQuerySets. list
discoveryengine.schemas.list
discoveryengine. servingConfigs. list
discoveryengine.sessions.list
discoveryengine. targetSites. list
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.connections.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.fileStoreProfiles.list
dlp.inspectFindings.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.subscriptions.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.setIamPolicy
dns.policies.getIamPolicy
dns.policies.list
dns.policies.setIamPolicy
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai. dataLabelingJobs. list
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai. processorVersions. list
documentai.processors.list
domains.locations.list
domains.operations.list
domains. registrations. getIamPolicy
domains.registrations.list
domains. registrations. setIamPolicy
earthengine. assets. getIamPolicy
earthengine.assets.list
earthengine. assets. setIamPolicy
earthengine.operations.list
edgecontainer. clusters. getIamPolicy
edgecontainer.clusters.list
edgecontainer. clusters. setIamPolicy
edgecontainer.locations.list
edgecontainer. machines. getIamPolicy
edgecontainer.machines.list
edgecontainer. machines. setIamPolicy
edgecontainer. nodePools. getIamPolicy
edgecontainer.nodePools.list
edgecontainer. nodePools. setIamPolicy
edgecontainer.operations.list
edgecontainer. vpnConnections. getIamPolicy
edgecontainer. vpnConnections. list
edgecontainer. vpnConnections. setIamPolicy
edgenetwork. interconnectAttachments. getIamPolicy
edgenetwork. interconnectAttachments. list
edgenetwork. interconnectAttachments. setIamPolicy
edgenetwork. interconnects. getIamPolicy
edgenetwork.interconnects.list
edgenetwork. interconnects. setIamPolicy
edgenetwork.locations.list
edgenetwork. networks. getIamPolicy
edgenetwork.networks.list
edgenetwork. networks. setIamPolicy
edgenetwork.operations.list
edgenetwork. routers. getIamPolicy
edgenetwork.routers.list
edgenetwork. routers. setIamPolicy
edgenetwork.routes.list
edgenetwork. subnetworks. getIamPolicy
edgenetwork.subnetworks.list
edgenetwork. subnetworks. setIamPolicy
edgenetwork.zones.list
enterpriseknowledgegraph. entityReconciliationJobs. list
enterprisepurchasing. gcveCuds. list
enterprisepurchasing. gcveNodePricingInfo. list
enterprisepurchasing. locations. list
enterprisepurchasing. operations. list
errorreporting. applications. list
errorreporting. errorEvents. list
errorreporting.groups.list
essentialcontacts. contacts. list
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc. channelConnections. setIamPolicy
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.setIamPolicy
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc. enrollments. setIamPolicy
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleApiSources. setIamPolicy
eventarc.locations.list
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc. messageBuses. setIamPolicy
eventarc.operations.list
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc. pipelines. setIamPolicy
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
fcmdata.deliverydata.list
file.backups.list
file.instances.list
file.locations.list
file.operations.list
financialservices. locations. list
financialservices. operations. list
financialservices. v1backtests. list
financialservices. v1datasets. list
financialservices. v1engineconfigs. list
financialservices. v1engineversions. list
financialservices. v1instances. list
financialservices. v1models. list
financialservices. v1predictions. list
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro. releases. list
firebaseappdistro.testers.list
firebasecrashlytics. issues. list
firebasedatabase. instances. list
firebasedataconnect. connectorRevisions. list
firebasedataconnect. connectors. list
firebasedataconnect. locations. list
firebasedataconnect. operations. list
firebasedataconnect. schemaRevisions. list
firebasedataconnect. schemas. list
firebasedataconnect. services. list
firebasedynamiclinks. destinations. list
firebasedynamiclinks. domains. list
firebasedynamiclinks. links. list
firebaseextensions. configs. list
firebaseextensionspublisher. extensions. list
firebasehosting.sites.list
firebaseinappmessaging. campaigns. list
firebasemessagingcampaigns. campaigns. list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications. messages. list
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine. deliveryvehicles. list
fleetengine.tasks.list
fleetengine.vehicles.list
gcp.redisenterprise. com/databases. list
gcp.redisenterprise. com/subscriptions. list
gdchardwaremanagement. changeLogEntries. list
gdchardwaremanagement. comments. list
gdchardwaremanagement. hardware. list
gdchardwaremanagement. hardwareGroups. list
gdchardwaremanagement. locations. list
gdchardwaremanagement. operations. list
gdchardwaremanagement. orders. list
gdchardwaremanagement. sites. list
gdchardwaremanagement. skus. list
gdchardwaremanagement. zones. list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.operations.list
gkebackup. backupPlans. getIamPolicy
gkebackup.backupPlans.list
gkebackup. backupPlans. setIamPolicy
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup. restorePlans. getIamPolicy
gkebackup.restorePlans.list
gkebackup. restorePlans. setIamPolicy
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.locations.list
gkehub.membershipbindings.list
gkehub.membershipfeatures.list
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub. memberships. setIamPolicy
gkehub.namespaces.list
gkehub.operations.list
gkehub.rbacrolebindings.list
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkemulticloud. attachedClusters. list
gkemulticloud.awsClusters.list
gkemulticloud. awsNodePools. list
gkemulticloud. azureClients. list
gkemulticloud. azureClusters. list
gkemulticloud. azureNodePools. list
gkemulticloud.operations.list
gkeonprem. bareMetalAdminClusters. getIamPolicy
gkeonprem. bareMetalAdminClusters. list
gkeonprem. bareMetalAdminClusters. setIamPolicy
gkeonprem. bareMetalClusters. getIamPolicy
gkeonprem. bareMetalClusters. list
gkeonprem. bareMetalClusters. setIamPolicy
gkeonprem. bareMetalNodePools. getIamPolicy
gkeonprem. bareMetalNodePools. list
gkeonprem. bareMetalNodePools. setIamPolicy
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem. vmwareAdminClusters. getIamPolicy
gkeonprem. vmwareAdminClusters. list
gkeonprem. vmwareAdminClusters. setIamPolicy
gkeonprem. vmwareClusters. getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem. vmwareClusters. setIamPolicy
gkeonprem. vmwareNodePools. getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem. vmwareNodePools. setIamPolicy
gsuiteaddons.deployments.list
healthcare. annotationStores. getIamPolicy
healthcare. annotationStores. list
healthcare. annotationStores. setIamPolicy
healthcare.annotations.list
healthcare. attributeDefinitions. list
healthcare. consentArtifacts. list
healthcare. consentStores. getIamPolicy
healthcare.consentStores.list
healthcare. consentStores. setIamPolicy
healthcare.consents.list
healthcare. datasets. getIamPolicy
healthcare.datasets.list
healthcare. datasets. setIamPolicy
healthcare. dicomStores. getIamPolicy
healthcare.dicomStores.list
healthcare. dicomStores. setIamPolicy
healthcare. fhirStores. getIamPolicy
healthcare.fhirStores.list
healthcare. fhirStores. setIamPolicy
healthcare.hl7V2Messages.list
healthcare. hl7V2Stores. getIamPolicy
healthcare.hl7V2Stores.list
healthcare. hl7V2Stores. setIamPolicy
healthcare.locations.list
healthcare.operations.list
healthcare. userDataMappings. list
iam.denypolicies.list
iam.googleapis. com/oauthClientCredentials. list
iam.googleapis. com/oauthClients. list
iam.googleapis. com/workforcePoolProviderKeys. list
iam.googleapis. com/workforcePoolProviders. list
iam.googleapis. com/workforcePools. getIamPolicy
iam.googleapis. com/workforcePools. list
iam.googleapis. com/workforcePools. setIamPolicy
iam.googleapis. com/workloadIdentityPoolProviderKeys. list
iam.googleapis. com/workloadIdentityPoolProviders. list
iam.googleapis. com/workloadIdentityPools. list
iam.policybindings.list
iam. principalaccessboundarypolicies. list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam. serviceAccounts. getIamPolicy
iam.serviceAccounts.list
iam. serviceAccounts. setIamPolicy
iap.tunnel.*
iap. tunnelDestGroups. getIamPolicy
iap.tunnelDestGroups.list
iap. tunnelDestGroups. setIamPolicy
iap. tunnelInstances. getIamPolicy
iap. tunnelInstances. setIamPolicy
iap.tunnelLocations.*
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap. webServiceVersions. getIamPolicy
iap. webServiceVersions. setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
identitytoolkit. tenants. getIamPolicy
identitytoolkit.tenants.list
identitytoolkit. tenants. setIamPolicy
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.endpoints.setIamPolicy
ids.locations.list
ids.operations.list
integrations. apigeeAuthConfigs. list
integrations. apigeeCertificates. list
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations. list
integrations. apigeeSfdcChannels. list
integrations. apigeeSfdcInstances. list
integrations. apigeeSuspensions. list
integrations.authConfigs.list
integrations.certificates.list
integrations.executions.list
integrations. integrationVersions. list
integrations.integrations.list
integrations. securityAuthConfigs. list
integrations. securityExecutions. list
integrations. securityIntegTempVers. list
integrations. securityIntegrationVers. list
integrations. securityIntegrations. list
integrations.sfdcChannels.list
integrations. sfdcInstances. list
integrations.suspensions.list
integrations.testCases.list
issuerswitch. accountManagerTransactions. list
issuerswitch. complaintTransactions. list
issuerswitch. financialTransactions. list
issuerswitch. mandateTransactions. list
issuerswitch. metadataTransactions. list
issuerswitch.operations.list
issuerswitch.ruleMetadata.list
issuerswitch. ruleMetadataValues. list
issuerswitch.rules.list
krmapihosting. krmApiHosts. getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting. krmApiHosts. setIamPolicy
krmapihosting.locations.list
krmapihosting.operations.list
licensemanager. configurations. list
licensemanager.instances.list
licensemanager.locations.list
licensemanager.operations.list
licensemanager.products.list
lifesciences.operations.list
livestream.assets.list
livestream.channels.list
livestream.clips.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.links.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.list
logging.queries.usePrivate
logging.sinks.list
logging.views.getIamPolicy
logging.views.list
logging.views.setIamPolicy
looker.backups.list
looker.instances.list
looker.locations.list
looker.operations.list
managedflink.deployments.list
managedflink.jobs.list
managedflink.locations.list
managedflink.operations.list
managedflink.sessions.list
managedidentities. backups. getIamPolicy
managedidentities.backups.list
managedidentities. backups. setIamPolicy
managedidentities. domains. getIamPolicy
managedidentities.domains.list
managedidentities. domains. setIamPolicy
managedidentities. locations. list
managedidentities. operations. list
managedidentities. peerings. getIamPolicy
managedidentities. peerings. list
managedidentities. peerings. setIamPolicy
managedidentities. sqlintegrations. list
managedkafka.clusters.list
managedkafka. consumerGroups. list
managedkafka.locations.list
managedkafka.operations.list
managedkafka.topics.list
mapsadmin.clientMaps.list
mapsadmin. clientStyleSheetSnapshots. list
mapsadmin.clientStyles.list
mapsadmin.styleSnapshots.list
mapsanalytics. metricMetadata. list
mapsplatformdatasets. datasets. list
marketplacesolutions. locations. list
marketplacesolutions. operations. list
marketplacesolutions. powerImages. list
marketplacesolutions. powerInstances. list
marketplacesolutions. powerNetworks. list
marketplacesolutions. powerSshKeys. list
marketplacesolutions. powerVolumes. list
memcache.instances.list
memcache.locations.list
memcache.operations.list
memorystore.instances.list
memorystore.locations.list
memorystore.operations.list
metastore.backups.getIamPolicy
metastore.backups.list
metastore.backups.setIamPolicy
metastore. databases. getIamPolicy
metastore.databases.list
metastore. databases. setIamPolicy
metastore. federations. getIamPolicy
metastore.federations.list
metastore. federations. setIamPolicy
metastore.imports.list
metastore.locations.list
metastore.migrations.list
metastore.operations.list
metastore. services. getIamPolicy
metastore.services.list
metastore. services. setIamPolicy
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
migrationcenter.assets.list
migrationcenter. discoveryClients. list
migrationcenter. errorFrames. list
migrationcenter.groups.list
migrationcenter. importDataFiles. list
migrationcenter. importJobs. list
migrationcenter.locations.list
migrationcenter. operations. list
migrationcenter. preferenceSets. list
migrationcenter.relations.list
migrationcenter. reportConfigs. list
migrationcenter.reports.list
migrationcenter.sources.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.models.setIamPolicy
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.studies.setIamPolicy
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors. list
monitoring. notificationChannelDescriptors. list
monitoring. notificationChannels. list
monitoring.services.list
monitoring.slos.list
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring. uptimeCheckConfigs. list
netapp.activeDirectories.list
netapp.backupPolicies.list
netapp.backupVaults.list
netapp.backups.list
netapp.kmsConfigs.list
netapp.locations.list
netapp.operations.list
netapp.replications.list
netapp.snapshots.list
netapp.storagePools.list
netapp.volumes.list
networkconnectivity. groups. getIamPolicy
networkconnectivity. groups. list
networkconnectivity. groups. setIamPolicy
networkconnectivity. hubRouteTables. getIamPolicy
networkconnectivity. hubRouteTables. list
networkconnectivity. hubRouteTables. setIamPolicy
networkconnectivity. hubRoutes. getIamPolicy
networkconnectivity. hubRoutes. list
networkconnectivity. hubRoutes. setIamPolicy
networkconnectivity. hubs. getIamPolicy
networkconnectivity.hubs.list
networkconnectivity. hubs. setIamPolicy
networkconnectivity. internalRanges. getIamPolicy
networkconnectivity. internalRanges. list
networkconnectivity. internalRanges. setIamPolicy
networkconnectivity. locations. list
networkconnectivity. operations. list
networkconnectivity. policyBasedRoutes. getIamPolicy
networkconnectivity. policyBasedRoutes. list
networkconnectivity. policyBasedRoutes. setIamPolicy
networkconnectivity. regionalEndpoints. list
networkconnectivity. serviceClasses. list
networkconnectivity. serviceConnectionMaps. list
networkconnectivity. serviceConnectionPolicies. list
networkconnectivity. spokes. getIamPolicy
networkconnectivity. spokes. list
networkconnectivity. spokes. setIamPolicy
networkmanagement. connectivitytests. getIamPolicy
networkmanagement. connectivitytests. list
networkmanagement. connectivitytests. setIamPolicy
networkmanagement. locations. list
networkmanagement. operations. list
networkmanagement. vpcflowlogsconfigs. list
networksecurity. addressGroups. getIamPolicy
networksecurity. addressGroups. list
networksecurity. addressGroups. setIamPolicy
networksecurity. authorizationPolicies. getIamPolicy
networksecurity. authorizationPolicies. list
networksecurity. authorizationPolicies. setIamPolicy
networksecurity. authzPolicies. getIamPolicy
networksecurity. authzPolicies. list
networksecurity. authzPolicies. setIamPolicy
networksecurity. clientTlsPolicies. getIamPolicy
networksecurity. clientTlsPolicies. list
networksecurity. clientTlsPolicies. setIamPolicy
networksecurity. firewallEndpointAssociations. list
networksecurity. firewallEndpoints. list
networksecurity. gatewaySecurityPolicies. list
networksecurity. gatewaySecurityPolicyRules. list
networksecurity. interceptDeploymentGroups. list
networksecurity. interceptDeployments. list
networksecurity. interceptEndpointGroupAssociations. list
networksecurity. interceptEndpointGroups. list
networksecurity.locations.list
networksecurity. mirroringDeploymentGroups. list
networksecurity. mirroringDeployments. list
networksecurity. mirroringEndpointGroupAssociations. list
networksecurity. mirroringEndpointGroups. list
networksecurity. operations. list
networksecurity. securityProfileGroups. list
networksecurity. securityProfiles. list
networksecurity. serverTlsPolicies. getIamPolicy
networksecurity. serverTlsPolicies. list
networksecurity. serverTlsPolicies. setIamPolicy
networksecurity. tlsInspectionPolicies. list
networksecurity.urlLists.list
networkservices. authzExtensions. list
networkservices. endpointPolicies. list
networkservices.gateways.list
networkservices. grpcRoutes. list
networkservices. httpFilters. list
networkservices. httpRoutes. list
networkservices. httpfilters. getIamPolicy
networkservices. httpfilters. list
networkservices. httpfilters. setIamPolicy
networkservices. lbRouteExtensions. list
networkservices. lbTrafficExtensions. list
networkservices.locations.list
networkservices.meshes.list
networkservices. operations. list
networkservices. route_views. list
networkservices. serviceBindings. list
networkservices. serviceLbPolicies. list
networkservices.tcpRoutes.list
networkservices.tlsRoutes.list
networkservices. wasmPlugins. list
notebooks. environments. getIamPolicy
notebooks.environments.list
notebooks. environments. setIamPolicy
notebooks. executions. getIamPolicy
notebooks.executions.list
notebooks. executions. setIamPolicy
notebooks. instances. getIamPolicy
notebooks.instances.list
notebooks. instances. setIamPolicy
notebooks.locations.list
notebooks.operations.list
notebooks. runtimes. getIamPolicy
notebooks.runtimes.list
notebooks. runtimes. setIamPolicy
notebooks. schedules. getIamPolicy
notebooks.schedules.list
notebooks. schedules. setIamPolicy
observability. analyticsViews. list
ondemandscanning. operations. list
opsconfigmonitoring. resourceMetadata. list
oracledatabase. autonomousDatabaseBackups. list
oracledatabase. autonomousDatabaseCharacterSets. list
oracledatabase. autonomousDatabases. list
oracledatabase. autonomousDbVersions. list
oracledatabase. cloudExadataInfrastructures. list
oracledatabase. cloudVmClusters. list
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase. dbSystemShapes. list
oracledatabase. entitlements. list
oracledatabase.giVersions.list
oracledatabase.locations.list
oracledatabase.operations.list
orgpolicy.constraints.list
orgpolicy. customConstraints. list
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig. instanceOSPoliciesCompliances. list
osconfig.inventories.list
osconfig.locations.list
osconfig.operations.list
osconfig. osPolicyAssignmentReports. list
osconfig. osPolicyAssignments. list
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig. policyOrchestrators. list
osconfig.upgradeReports.list
osconfig. vulnerabilityReports. list
parallelstore.instances.list
parallelstore.locations.list
parallelstore.operations.list
parametermanager. locations. list
parametermanager. parameterVersions. list
parametermanager. parameters. list
paymentsresellersubscription. products. list
paymentsresellersubscription. promotions. list
policyremediatormanager. locations. list
policyremediatormanager. operations. list
policysimulator. accessPolicySimulationResults. list
policysimulator. accessPolicySimulations. list
policysimulator. orgPolicyViolations. list
policysimulator. orgPolicyViolationsPreviews. list
policysimulator. replayResults. list
policysimulator.replays.*
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca. certificateAuthorities. getIamPolicy
privateca. certificateAuthorities. list
privateca. certificateAuthorities. setIamPolicy
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca. certificateRevocationLists. setIamPolicy
privateca. certificateTemplates. getIamPolicy
privateca. certificateTemplates. list
privateca. certificateTemplates. setIamPolicy
privateca. certificates. getIamPolicy
privateca.certificates.list
privateca. certificates. setIamPolicy
privateca.locations.list
privateca.operations.list
privateca. reusableConfigs. getIamPolicy
privateca.reusableConfigs.list
privateca. reusableConfigs. setIamPolicy
privilegedaccessmanager. entitlements. list
privilegedaccessmanager. entitlements. setIamPolicy
privilegedaccessmanager. grants. list
privilegedaccessmanager. locations. list
privilegedaccessmanager. operations. list
proximitybeacon. attachments. list
proximitybeacon. beacons. getIamPolicy
proximitybeacon.beacons.list
proximitybeacon. beacons. setIamPolicy
proximitybeacon. namespaces. getIamPolicy
proximitybeacon. namespaces. list
proximitybeacon. namespaces. setIamPolicy
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.setIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.setIamPolicy
pubsub. subscriptions. getIamPolicy
pubsub.subscriptions.list
pubsub. subscriptions. setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise. firewallpolicies. list
recaptchaenterprise.keys.list
recaptchaenterprise. relatedaccountgroupmemberships. list
recaptchaenterprise. relatedaccountgroups. list
recommender. alloydbClusterPerformanceInsights. list
recommender. alloydbClusterPerformanceRecommendations. list
recommender. alloydbClusterReliabilityInsights. list
recommender. alloydbClusterReliabilityRecommendations. list
recommender. alloydbInstanceSecurityInsights. list
recommender. alloydbInstanceSecurityRecommendations. list
recommender. bigqueryCapacityCommitmentsInsights. list
recommender. bigqueryCapacityCommitmentsRecommendations. list
recommender. bigqueryMaterializedViewInsights. list
recommender. bigqueryMaterializedViewRecommendations. list
recommender. bigqueryPartitionClusterRecommendations. list
recommender. bigqueryTableStatsInsights. list
recommender. cloudAssetInsights. list
recommender. cloudCostGeneralInsights. list
recommender. cloudCostGeneralRecommendations. list
recommender. cloudDeprecationGeneralInsights. list
recommender. cloudDeprecationGeneralRecommendations. list
recommender. cloudFunctionsPerformanceInsights. list
recommender. cloudFunctionsPerformanceRecommendations. list
recommender. cloudManageabilityGeneralInsights. list
recommender. cloudManageabilityGeneralRecommendations. list
recommender. cloudPerformanceGeneralInsights. list
recommender. cloudPerformanceGeneralRecommendations. list
recommender. cloudRecentChangeInsights. list
recommender. cloudRecentChangeRecommendations. list
recommender. cloudReliabilityGeneralInsights. list
recommender. cloudReliabilityGeneralRecommendations. list
recommender. cloudSecurityGeneralInsights. list
recommender. cloudSecurityGeneralRecommendations. list
recommender. cloudsqlIdleInstanceRecommendations. list
recommender. cloudsqlInstanceActivityInsights. list
recommender. cloudsqlInstanceCpuUsageInsights. list
recommender. cloudsqlInstanceDiskUsageTrendInsights. list
recommender. cloudsqlInstanceMemoryUsageInsights. list
recommender. cloudsqlInstanceOomProbabilityInsights. list
recommender. cloudsqlInstanceOutOfDiskRecommendations. list
recommender. cloudsqlInstancePerformanceInsights. list
recommender. cloudsqlInstancePerformanceRecommendations. list
recommender. cloudsqlInstanceReliabilityInsights. list
recommender. cloudsqlInstanceReliabilityRecommendations. list
recommender. cloudsqlInstanceSecurityInsights. list
recommender. cloudsqlInstanceSecurityRecommendations. list
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. list
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. list
recommender. cloudsqlOverprovisionedInstanceRecommendations. list
recommender. cloudsqlUnderProvisionedInstanceRecommendations. list
recommender. commitmentUtilizationInsights. list
recommender. computeAddressIdleResourceInsights. list
recommender. computeAddressIdleResourceRecommendations. list
recommender. computeDiskIdleResourceInsights. list
recommender. computeDiskIdleResourceRecommendations. list
recommender. computeFirewallInsights. list
recommender. computeImageIdleResourceInsights. list
recommender. computeImageIdleResourceRecommendations. list
recommender. computeInstanceCpuUsageInsights. list
recommender. computeInstanceCpuUsagePredictionInsights. list
recommender. computeInstanceCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerCpuUsageInsights. list
recommender. computeInstanceGroupManagerCpuUsagePredictionInsights. list
recommender. computeInstanceGroupManagerCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerMachineTypeRecommendations. list
recommender. computeInstanceGroupManagerMemoryUsageInsights. list
recommender. computeInstanceGroupManagerMemoryUsagePredictionInsights. list
recommender. computeInstanceIdleResourceRecommendations. list
recommender. computeInstanceMachineTypeRecommendations. list
recommender. computeInstanceMemoryUsageInsights. list
recommender. computeInstanceMemoryUsagePredictionInsights. list
recommender. computeInstanceNetworkThroughputInsights. list
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisRecommendations. list
recommender.costInsights.list
recommender. dataflowDiagnosticsInsights. list
recommender. errorReportingInsights. list
recommender. errorReportingRecommendations. list
recommender. firestoreDatabaseReliabilityInsights. list
recommender. firestoreDatabaseReliabilityRecommendations. list
recommender. gmpGuidedExperienceInsights. list
recommender. gmpGuidedExperienceRecommendations. list
recommender. gmpProjectManagementInsights. list
recommender. gmpProjectManagementRecommendations. list
recommender. gmpProjectProductSuggestionsInsights. list
recommender. gmpProjectProductSuggestionsRecommendations. list
recommender. iamPolicyChangeRiskInsights. list
recommender. iamPolicyChangeRiskRecommendations. list
recommender. iamPolicyInsights. list
recommender. iamPolicyLateralMovementInsights. list
recommender. iamPolicyRecommendations. list
recommender. iamServiceAccountChangeRiskInsights. list
recommender. iamServiceAccountChangeRiskRecommendations. list
recommender. iamServiceAccountInsights. list
recommender.locations.list
recommender. loggingProductSuggestionContainerInsights. list
recommender. loggingProductSuggestionContainerRecommendations. list
recommender. monitoringProductSuggestionComputeInsights. list
recommender. monitoringProductSuggestionComputeRecommendations. list
recommender. networkAnalyzerCloudSqlInsights. list
recommender. networkAnalyzerDynamicRouteInsights. list
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. list
recommender. networkAnalyzerGkeServiceAccountInsights. list
recommender. networkAnalyzerIpAddressInsights. list
recommender. networkAnalyzerLoadBalancerInsights. list
recommender. networkAnalyzerVpcConnectivityInsights. list
recommender. orgPolicyInsights. list
recommender. orgPolicyRecommendations. list
recommender. resourcemanagerProjectChangeRiskInsights. list
recommender. resourcemanagerProjectChangeRiskRecommendations. list
recommender. resourcemanagerProjectUtilizationInsights. list
recommender. resourcemanagerProjectUtilizationRecommendations. list
recommender. resourcemanagerServiceLimitInsights. list
recommender. resourcemanagerServiceLimitRecommendations. list
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. list
recommender. spannerProjectReliabilityInsights. list
recommender. spannerProjectReliabilityRecommendations. list
recommender. spendBasedCommitmentInsights. list
recommender. spendBasedCommitmentRecommendations. list
recommender. storageBucketSoftDeleteInsights. list
recommender. storageBucketSoftDeleteRecommendations. list
recommender. usageCommitmentRecommendations. list
redis.backupCollections.list
redis.backups.list
redis.clusters.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution. instances. list
remotebuildexecution. workerpools. list
resourcemanager. folders. getIamPolicy
resourcemanager.folders.list
resourcemanager. folders. setIamPolicy
resourcemanager. hierarchyNodes. listTagBindings
resourcemanager. organizations. getIamPolicy
resourcemanager. organizations. setIamPolicy
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager. projects. setIamPolicy
resourcemanager.tagHolds.list
resourcemanager. tagKeys. getIamPolicy
resourcemanager.tagKeys.list
resourcemanager. tagKeys. setIamPolicy
resourcemanager. tagValues. getIamPolicy
resourcemanager.tagValues.list
resourcemanager. tagValues. setIamPolicy
resourcesettings.settings.list
retail.branches.list
retail.catalogs.list
retail.controls.list
retail.experiments.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager. controlScoreBreakdowns. list
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
rma.collectors.list
rma.locations.list
rma.operations.list
run.configurations.list
run.executions.list
run.jobs.getIamPolicy
run.jobs.list
run.jobs.setIamPolicy
run.locations.list
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
run.tasks.list
runapps.applications.list
runapps.deployments.list
runapps.locations.list
runapps.operations.list
runtimeconfig. configs. getIamPolicy
runtimeconfig.configs.list
runtimeconfig. configs. setIamPolicy
runtimeconfig.operations.list
runtimeconfig. variables. getIamPolicy
runtimeconfig.variables.list
runtimeconfig. variables. setIamPolicy
runtimeconfig. waiters. getIamPolicy
runtimeconfig.waiters.list
runtimeconfig. waiters. setIamPolicy
secretmanager.locations.list
secretmanager. secrets. getIamPolicy
secretmanager.secrets.list
secretmanager. secrets. setIamPolicy
secretmanager.versions.list
securedlandingzone. overwatches. list
securesourcemanager. branchRules. list
securesourcemanager. instances. getIamPolicy
securesourcemanager. instances. list
securesourcemanager. instances. setIamPolicy
securesourcemanager. locations. list
securesourcemanager. operations. list
securesourcemanager. repositories. getIamPolicy
securesourcemanager. repositories. list
securesourcemanager. repositories. setIamPolicy
securesourcemanager. sshkeys. list
securitycenter.assets.list
securitycenter. attackpaths. list
securitycenter. bigQueryExports. list
securitycenter. compliancesnapshots. list
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter.findings.list
securitycenter. muteconfigs. list
securitycenter. notificationconfig. list
securitycenter. resourcevalueconfigs. list
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. sources. setIamPolicy
securitycenter. valuedresources. list
securitycenter. vulnerabilitysnapshots. list
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securityposture.locations.list
securityposture. operations. list
securityposture. postureDeployments. list
securityposture. postureTemplates. list
securityposture.postures.list
securityposture.reports.list
servicebroker. bindingoperations. list
servicebroker. bindings. getIamPolicy
servicebroker.bindings.list
servicebroker. bindings. setIamPolicy
servicebroker. catalogs. getIamPolicy
servicebroker.catalogs.list
servicebroker. catalogs. setIamPolicy
servicebroker. instanceoperations. list
servicebroker. instances. getIamPolicy
servicebroker.instances.list
servicebroker. instances. setIamPolicy
serviceconsumermanagement. tenancyu. list
servicedirectory. endpoints. getIamPolicy
servicedirectory. endpoints. list
servicedirectory. endpoints. setIamPolicy
servicedirectory. locations. list
servicedirectory. namespaces. getIamPolicy
servicedirectory. namespaces. list
servicedirectory. namespaces. setIamPolicy
servicedirectory. services. getIamPolicy
servicedirectory.services.list
servicedirectory. services. setIamPolicy
servicehealth.events.list
servicehealth.locations.list
servicehealth. organizationEvents. list
servicehealth. organizationImpacts. list
servicemanagement. services. getIamPolicy
servicemanagement. services. list
servicemanagement. services. setIamPolicy
servicenetworking. operations. list
servicesecurityinsights. clusterSecurityInfo. list
servicesecurityinsights. securityInfo. list
servicesecurityinsights. workloadPolicies. list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
source.repos.setIamPolicy
spanner.backupOperations.list
spanner. backupSchedules. getIamPolicy
spanner.backupSchedules.list
spanner. backupSchedules. setIamPolicy
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner. databaseOperations. list
spanner.databaseRoles.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.setIamPolicy
spanner. instanceConfigOperations. list
spanner.instanceConfigs.list
spanner. instanceOperations. list
spanner. instancePartitionOperations. list
spanner. instancePartitions. list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.setIamPolicy
spanner.sessions.list
speakerid.phrases.list
speakerid.speakers.list
speech.customClasses.list
speech.locations.list
speech.operations.list
speech.phraseSets.list
speech.recognizers.list
stackdriver. resourceMetadata. list
storage.anywhereCaches.list
storage.bucketOperations.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.folders.list
storage.hmacKeys.list
storage. managedFolders. getIamPolicy
storage.managedFolders.list
storage. managedFolders. setIamPolicy
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storageinsights. datasetConfigs. list
storageinsights.locations.list
storageinsights. operations. list
storageinsights. reportConfigs. list
storageinsights. reportDetails. list
storagetransfer. agentpools. list
storagetransfer.jobs.list
storagetransfer. operations. list
stream.locations.list
stream.operations.list
stream.streamContents.list
stream.streamInstances.list
telcoautomation. blueprints. list
telcoautomation. deployments. list
telcoautomation.edgeSlms.list
telcoautomation. hydratedDeployments. list
telcoautomation.locations.list
telcoautomation. operations. list
telcoautomation. orchestrationClusters. list
telcoautomation. publicBlueprints. list
timeseriesinsights. datasets. list
timeseriesinsights. locations. list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.runtimeversions.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
transferappliance. appliances. list
transferappliance. locations. list
transferappliance. operations. list
transferappliance.orders.list
transferappliance. savedAddresses. list
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher. liveAdTagDetails. list
videostitcher.liveConfigs.list
videostitcher.operations.list
videostitcher.slates.list
videostitcher. vodAdTagDetails. list
videostitcher.vodConfigs.list
videostitcher. vodStitchDetails. list
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.setIamPolicy
visionai.annotations.list
visionai.applications.list
visionai.assets.list
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.setIamPolicy
visionai.corpora.list
visionai.dataSchemas.list
visionai.drafts.list
visionai.events.getIamPolicy
visionai.events.list
visionai.events.setIamPolicy
visionai.indexEndpoints.list
visionai.indexes.list
visionai.instances.list
visionai.locations.list
visionai.operations.list
visionai. operators. getIamPolicy
visionai.operators.list
visionai. operators. setIamPolicy
visionai.processors.list
visionai.searchConfigs.list
visionai.series.getIamPolicy
visionai.series.list
visionai.series.setIamPolicy
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.setIamPolicy
visionai.uistreams.list
visualinspection. annotationSets. list
visualinspection. annotationSpecs. list
visualinspection. annotations. list
visualinspection.datasets.list
visualinspection.images.list
visualinspection. locations. list
visualinspection. modelEvaluations. list
visualinspection.models.list
visualinspection.modules.list
visualinspection. operations. list
visualinspection. solutionArtifacts. list
visualinspection. solutions. list
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration. datacenterConnectors. list
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration. replicationCycles. list
vmmigration.sources.list
vmmigration.targets.list
vmmigration. utilizationReports. list
vmwareengine. clusters. getIamPolicy
vmwareengine.clusters.list
vmwareengine. clusters. setIamPolicy
vmwareengine. externalAccessRules. list
vmwareengine. externalAddresses. list
vmwareengine. hcxActivationKeys. getIamPolicy
vmwareengine. hcxActivationKeys. list
vmwareengine. hcxActivationKeys. setIamPolicy
vmwareengine.locations.list
vmwareengine. loggingServers. list
vmwareengine. managementDnsZoneBindings. list
vmwareengine. networkPeerings. list
vmwareengine. networkPolicies. list
vmwareengine.nodeTypes.list
vmwareengine.nodes.list
vmwareengine.operations.list
vmwareengine. privateClouds. getIamPolicy
vmwareengine. privateClouds. list
vmwareengine. privateClouds. setIamPolicy
vmwareengine. privateConnections. list
vmwareengine.subnets.list
vmwareengine. vmwareEngineNetworks. list
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.list
workflows.callbacks.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.stepEntries.list
workflows.workflows.list
workloadcertificate. locations. list
workloadcertificate. operations. list
workloadcertificate. workloadRegistrations. list
workloadmanager. actuations. list
workloadmanager. deployments. list
workloadmanager. discoveredprofiles. list
workloadmanager. evaluations. list
workloadmanager. executions. list
workloadmanager.locations.list
workloadmanager. operations. list
workloadmanager.results.list
workloadmanager.rules.list
workstations. workstationClusters. list
workstations. workstationConfigs. getIamPolicy
workstations. workstationConfigs. list
workstations. workstationConfigs. setIamPolicy
workstations. workstations. getIamPolicy
workstations.workstations.list
workstations. workstations. setIamPolicy
Security Reviewer
(roles/ iam.securityReviewer
)
Provides permissions to list all resources and allow policies on them.
accessapproval.requests.list
accesscontextmanager. accessLevels. list
accesscontextmanager. authorizedOrgsDescs. list
accesscontextmanager. gcpUserAccessBindings. list
accesscontextmanager. policies. getIamPolicy
accesscontextmanager. policies. list
accesscontextmanager. servicePerimeters. list
actions.agentVersions.list
advisorynotifications. notifications.*
aiplatform.agentExamples.list
aiplatform.agents.list
aiplatform. annotationSpecs. list
aiplatform.annotations.list
aiplatform.apps.list
aiplatform.artifacts.list
aiplatform. batchPredictionJobs. list
aiplatform.cachedContents.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform. dataLabelingJobs. list
aiplatform. datasetVersions. list
aiplatform.datasets.list
aiplatform. deploymentResourcePools. list
aiplatform. edgeDeploymentJobs. list
aiplatform.edgeDevices.list
aiplatform. endpoints. getIamPolicy
aiplatform.endpoints.list
aiplatform. entityTypes. getIamPolicy
aiplatform.entityTypes.list
aiplatform.executions.list
aiplatform.extensions.list
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. getIamPolicy
aiplatform. featureOnlineStores. list
aiplatform. featureViewSyncs. list
aiplatform. featureViews. getIamPolicy
aiplatform.featureViews.list
aiplatform.features.list
aiplatform. featurestores. getIamPolicy
aiplatform.featurestores.list
aiplatform. humanInTheLoops. list
aiplatform. hyperparameterTuningJobs. list
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform. metadataSchemas. list
aiplatform.metadataStores.list
aiplatform. modelDeploymentMonitoringJobs. list
aiplatform. modelEvaluationSlices. list
aiplatform. modelEvaluations. list
aiplatform. modelMonitoringJobs. list
aiplatform.modelMonitors.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform. nasTrialDetails. list
aiplatform. notebookExecutionJobs. list
aiplatform. notebookRuntimeTemplates. getIamPolicy
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimes. list
aiplatform.operations.list
aiplatform. persistentResources. list
aiplatform.pipelineJobs.list
aiplatform. reasoningEngines. list
aiplatform.schedules.list
aiplatform.sessions.list
aiplatform. specialistPools. list
aiplatform.studies.list
aiplatform. tensorboardExperiments. list
aiplatform. tensorboardRuns. list
aiplatform. tensorboardTimeSeries. list
aiplatform.tensorboards.list
aiplatform. trainingPipelines. list
aiplatform.trials.list
aiplatform.tuningJobs.list
alloydb.backups.list
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.list
alloydb.locations.list
alloydb.operations.list
alloydb. supportedDatabaseFlags. list
alloydb.users.list
analyticshub. dataExchanges. getIamPolicy
analyticshub. dataExchanges. list
analyticshub. listings. getIamPolicy
analyticshub.listings.list
analyticshub. subscriptions. list
apigateway. apiconfigs. getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway. gateways. getIamPolicy
apigateway.gateways.list
apigateway.locations.list
apigateway.operations.list
apigee. apiproductattributes. list
apigee.apiproducts.list
apigee.appgroupapps.list
apigee.appgroups.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee. deployments. getIamPolicy
apigee.deployments.list
apigee. developerappattributes. list
apigee.developerapps.list
apigee. developerattributes. list
apigee.developers.list
apigee. developersubscriptions. list
apigee. endpointattachments. list
apigee. envgroupattachments. list
apigee.envgroups.list
apigee. environments. getIamPolicy
apigee.environments.list
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee. hostsecurityreports. list
apigee. instanceattachments. list
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.nataddresses.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityActions.list
apigee.securityFeedback.list
apigee.securityIncidents.list
apigee.securityProfiles.list
apigee.securityProfilesV2.list
apigee.securityreports.list
apigee. sharedflowrevisions. list
apigee.sharedflows.list
apigee.targetservers.list
apigee. traceconfigoverrides. list
apigee.tracesessions.list
apigeeconnect.connections.list
apigeeregistry. apis. getIamPolicy
apigeeregistry.apis.list
apigeeregistry. artifacts. getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry. deployments. list
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry. specs. getIamPolicy
apigeeregistry.specs.list
apigeeregistry. versions. getIamPolicy
apigeeregistry.versions.list
apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.apis.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub. hostProjectRegistrations. list
apihub.llmEnablements.list
apihub.operations.list
apihub.plugins.list
apihub. runTimeProjectAttachments. list
apihub.specs.list
apihub.versions.list
apikeys.keys.list
apim.apiObservations.list
apim.apiOperations.list
apim.locations.list
apim.observationJobs.list
apim.observationSources.list
apim.operations.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
apphub. applications. getIamPolicy
apphub.applications.list
apphub.discoveredServices.list
apphub. discoveredWorkloads. list
apphub.locations.list
apphub.operations.list
apphub. serviceProjectAttachments. list
apphub.services.list
apphub.workloads.list
applianceactivation. rttCommands. list
artifactregistry. attachments. list
artifactregistry. dockerimages. list
artifactregistry.files.list
artifactregistry. locations. list
artifactregistry. mavenartifacts. list
artifactregistry. npmpackages. list
artifactregistry.packages.list
artifactregistry. pythonpackages. list
artifactregistry. repositories. getIamPolicy
artifactregistry. repositories. list
artifactregistry.rules.list
artifactregistry.tags.list
artifactregistry.versions.list
assuredoss.locations.list
assuredoss.metadata.list
assuredoss.operations.list
assuredworkloads. operations. list
assuredworkloads.updates.list
assuredworkloads. violations. list
assuredworkloads.workload.list
auditmanager.auditReports.list
auditmanager. controlReports. list
auditmanager.controls.list
auditmanager. customComplianceFrameworks. list
auditmanager.findings.list
auditmanager.locations.list
auditmanager.operations.list
auditmanager. resourceEnrollmentStatuses. list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.files.list
automl. humanAnnotationTasks. list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations. apiKeys. list
automlrecommendations. catalogItems. list
automlrecommendations. catalogs. list
automlrecommendations. eventStores. list
automlrecommendations. events. list
automlrecommendations. placements. list
automlrecommendations. recommendations. list
autoscaling.sites.getIamPolicy
backupdr. backupPlanAssociations. list
backupdr.backupPlans.list
backupdr.backupVaults.list
backupdr.bvbackups.list
backupdr.bvdataSources.list
backupdr.locations.list
backupdr. managementServers. getIamPolicy
backupdr. managementServers. list
backupdr.operations.list
backupdr. resourceBackupConfigs. list
baremetalsolution. instancequotas. list
baremetalsolution. instances. list
baremetalsolution.luns.list
baremetalsolution. maintenanceevents. list
baremetalsolution. networkquotas. list
baremetalsolution. networks. list
baremetalsolution. nfsshares. list
baremetalsolution. osimages. list
baremetalsolution.pods.list
baremetalsolution. procurements. list
baremetalsolution.skus.list
baremetalsolution. snapshotschedulepolicies. list
baremetalsolution.sshKeys.list
baremetalsolution. storageaggregatepools. list
baremetalsolution. volumequotas. list
baremetalsolution.volumes.list
baremetalsolution. volumesnapshots. list
batch.jobs.list
batch.locations.list
batch.operations.list
batch.resourceAllowances.list
batch.tasks.list
beyondcorp. appConnections. getIamPolicy
beyondcorp.appConnections.list
beyondcorp. appConnectors. getIamPolicy
beyondcorp.appConnectors.list
beyondcorp. appGateways. getIamPolicy
beyondcorp.appGateways.list
beyondcorp. clientConnectorServices. getIamPolicy
beyondcorp. clientConnectorServices. list
beyondcorp. clientGateways. getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.locations.list
beyondcorp.operations.list
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.list
beyondcorp.subscriptions.list
biglake.catalogs.list
biglake.databases.list
biglake.locks.list
biglake.tables.list
bigquery. capacityCommitments. list
bigquery. connections. getIamPolicy
bigquery.connections.list
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery. reservationAssignments. list
bigquery.reservations.list
bigquery.routines.list
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquerymigration. subtasks. list
bigquerymigration. workflows. list
bigtable.appProfiles.list
bigtable. authorizedViews. getIamPolicy
bigtable.authorizedViews.list
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.clusters.list
bigtable.hotTablets.list
bigtable. instances. getIamPolicy
bigtable.instances.list
bigtable.keyvisualizer.list
bigtable.locations.list
bigtable.tables.getIamPolicy
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.anomalies.list
billing. billingAccountPrices. list
billing. billingAccountServices. list
billing. billingAccountSkuGroupSkus. list
billing. billingAccountSkuGroups. list
billing. billingAccountSkus. list
billing.budgets.list
billing.credits.list
billing. resourceAssociations. list
billing.subscriptions.list
binaryauthorization. attestors. getIamPolicy
binaryauthorization. attestors. list
binaryauthorization. continuousValidationConfig. getIamPolicy
binaryauthorization. platformPolicies. list
binaryauthorization. policy. getIamPolicy
blockchainnodeengine. blockchainNodes. list
blockchainnodeengine. locations. list
blockchainnodeengine. operations. list
blockchainvalidatormanager. blockchainValidatorConfigs. list
blockchainvalidatormanager. locations. list
blockchainvalidatormanager. operations. list
capacityplanner.forecasts.list
capacityplanner. usageHistories. list
carestudio.patients.list
certificatemanager. certissuanceconfigs. list
certificatemanager. certmapentries. list
certificatemanager. certmaps. list
certificatemanager.certs.list
certificatemanager. dnsauthorizations. list
certificatemanager. locations. list
certificatemanager. operations. list
certificatemanager. trustconfigs. list
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.collectors.list
chronicle.conversations.list
chronicle. curatedRuleSetCategories. list
chronicle. curatedRuleSetDeployments. list
chronicle.curatedRuleSets.list
chronicle.curatedRules.list
chronicle.dashboardCharts.list
chronicle. dashboardQueries. list
chronicle.dashboards.list
chronicle. dataAccessLabels. list
chronicle. dataAccessScopes. list
chronicle.dataTableRows.list
chronicle.dataTables.list
chronicle.dataTaps.list
chronicle. enrichmentControls. list
chronicle.entities.list
chronicle. errorNotificationConfigs. list
chronicle. extensionValidationReports. list
chronicle. feedSourceTypeSchemas. list
chronicle.feeds.list
chronicle. findingsRefinementDeployments. list
chronicle. findingsRefinements. list
chronicle.forwarders.list
chronicle. ingestionLogLabels. list
chronicle. ingestionLogNamespaces. list
chronicle.iocMatches.list
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.list
chronicle.messages.list
chronicle. nativeDashboards. list
chronicle.operations.list
chronicle. parserExtensions. list
chronicle.parsers.list
chronicle.parsingErrors.list
chronicle.referenceLists.list
chronicle.retrohunts.list
chronicle.ruleDeployments.list
chronicle. ruleExecutionErrors. list
chronicle.rules.list
chronicle.searchQueries.list
chronicle. validationErrors. list
chronicle.watchlists.list
chroniclesm. gcpAssociations. list
clientauthconfig.brands.list
clientauthconfig.clients.list
cloud.locations.list
cloudaicompanion. codeRepositoryIndexes. list
cloudaicompanion. operations. list
cloudaicompanion. repositoryGroups. getIamPolicy
cloudaicompanion. repositoryGroups. list
cloudasset.feeds.list
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild. connections. getIamPolicy
cloudbuild.connections.list
cloudbuild.integrations.list
cloudbuild.operations.list
cloudbuild.repositories.list
cloudbuild.workerpools.list
cloudcontrolspartner. accessapprovalrequests. list
cloudcontrolspartner. customers. list
cloudcontrolspartner. violations. list
cloudcontrolspartner. workloads. list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy. automationRuns. list
clouddeploy.automations.list
clouddeploy. customTargetTypes. getIamPolicy
clouddeploy. customTargetTypes. list
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy. deliveryPipelines. list
clouddeploy. deployPolicies. list
clouddeploy.jobRuns.list
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy. targets. getIamPolicy
clouddeploy.targets.list
cloudfunctions. functions. getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudjobdiscovery. companies. list
cloudkms. cryptoKeyVersions. list
cloudkms. cryptoKeys. getIamPolicy
cloudkms.cryptoKeys.list
cloudkms. ekmConfigs. getIamPolicy
cloudkms. ekmConnections. getIamPolicy
cloudkms.ekmConnections.list
cloudkms. importJobs. getIamPolicy
cloudkms.importJobs.list
cloudkms.keyHandles.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.locations.list
cloudnotifications. activities. list
cloudonefs.isiloncloud. com/clusters. list
cloudonefs.isiloncloud. com/fileshares. list
cloudprivatecatalogproducer. associations. list
cloudprivatecatalogproducer. catalogAssociations. list
cloudprivatecatalogproducer. catalogs. getIamPolicy
cloudprivatecatalogproducer. catalogs. list
cloudprivatecatalogproducer. producerCatalogs. getIamPolicy
cloudprivatecatalogproducer. producerCatalogs. list
cloudprivatecatalogproducer. products. getIamPolicy
cloudprivatecatalogproducer. products. list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scans. list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport. accounts. getIamPolicy
cloudsupport.accounts.list
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtestservice. devicesession. list
cloudtoolresults. executions. list
cloudtoolresults. histories. list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traceScopes.list
cloudtrace.traces.list
cloudtranslate. adaptiveMtDatasets. list
cloudtranslate. adaptiveMtFiles. list
cloudtranslate. adaptiveMtSentences. list
cloudtranslate. customModels. list
cloudtranslate.datasets.list
cloudtranslate.glossaries.list
cloudtranslate. glossaryentries. list
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp. com/activeDirectories. list
cloudvolumesgcp-api.netapp. com/ipRanges. list
cloudvolumesgcp-api.netapp. com/jobs. list
cloudvolumesgcp-api.netapp. com/regions. list
cloudvolumesgcp-api.netapp. com/serviceLevels. list
cloudvolumesgcp-api.netapp. com/snapshots. list
cloudvolumesgcp-api.netapp. com/volumereplication. list
cloudvolumesgcp-api.netapp. com/volumes. list
commerceagreementpublishing. agreements. list
commerceagreementpublishing. documents. list
commercebusinessenablement. operations. list
commercebusinessenablement. partnerAccounts. list
commercebusinessenablement. refunds. list
commercebusinessenablement. resellerDiscountOffers. list
commercebusinessenablement. resellerPrivateOfferPlans. list
commercebusinessenablement. resellerRestrictions. list
commerceoffercatalog. agreements. list
commerceoffercatalog. documents. list
commerceorggovernance. collectionRequestApprovals. list
commerceorggovernance. collections. list
commerceorggovernance. populateCollectionJobs. list
commerceorggovernance. services. list
commerceprice.events.list
commerceprice. privateoffers. list
composer.dags.list
composer.environments.list
composer.imageversions.list
composer.operations.list
composer. userworkloadsconfigmaps. list
composer. userworkloadssecrets. list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendServices. getIamPolicy
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute. externalVpnGateways. list
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute.firewalls.list
compute.forwardingRules.list
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.list
compute. globalForwardingRules. list
compute. globalNetworkEndpointGroups. list
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute. instanceGroupManagers. list
compute.instanceGroups.list
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. interconnectAttachments. list
compute. interconnectLocations. list
compute. interconnectRemoteLocations. list
compute.interconnects.list
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute. machineImages. getIamPolicy
compute.machineImages.list
compute.machineTypes.list
compute.multiMig.list
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkEdgeSecurityServices. list
compute. networkEndpointGroups. list
compute.networkProfiles.list
compute.networks.list
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.packetMirrorings.list
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. list
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionHealthCheckServices. list
compute. regionHealthChecks. list
compute. regionNetworkEndpointGroups. list
compute. regionNotificationEndpoints. list
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. list
compute. regionSslCertificates. list
compute.regionSslPolicies.list
compute. regionTargetHttpProxies. list
compute. regionTargetHttpsProxies. list
compute. regionTargetTcpProxies. list
compute.regionUrlMaps.list
compute.regions.list
compute.reservationBlocks.list
compute.reservations.list
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.list
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute. storagePools. getIamPolicy
compute.storagePools.list
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute. targetHttpsProxies. list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.list
confidentialcomputing. locations. list
config. deployments. getIamPolicy
config.deployments.list
config.locations.list
config.operations.list
config.previews.list
config.resources.list
config.revisions.list
config.terraformversions.list
configdelivery. fleetPackages. list
configdelivery.locations.list
configdelivery.operations.list
configdelivery.releases.list
configdelivery. resourceBundles. list
configdelivery.rollouts.list
connectors.actions.list
connectors. connections. getIamPolicy
connectors.connections.list
connectors.connectors.list
connectors. customConnectorVersions. getIamPolicy
connectors. customConnectorVersions. list
connectors. customConnectors. getIamPolicy
connectors. customConnectors. list
connectors. endpointAttachments. getIamPolicy
connectors. endpointAttachments. list
connectors.entities.list
connectors.entityTypes.list
connectors. eventSubscriptions. list
connectors.eventtypes.list
connectors.locations.list
connectors. managedZones. getIamPolicy
connectors.managedZones.list
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement. accounts. list
consumerprocurement. consents. list
consumerprocurement. entitlements. list
consumerprocurement. events. list
consumerprocurement. freeTrials. list
consumerprocurement. orderAttributions. list
consumerprocurement. orders. list
contactcenteraiplatform. contactCenters. list
contactcenteraiplatform. locations. list
contactcenteraiplatform. operations. list
contactcenterinsights. analyses. list
contactcenterinsights. analysisRules. list
contactcenterinsights. conversations. list
contactcenterinsights. faqEntries. list
contactcenterinsights. faqModels. list
contactcenterinsights. feedbackLabels. list
contactcenterinsights. issueModels. list
contactcenterinsights. issues. list
contactcenterinsights. operations. list
contactcenterinsights. phraseMatchers. list
contactcenterinsights. qaQuestions. list
contactcenterinsights. qaScorecardRevisions. list
contactcenterinsights. qaScorecards. list
contactcenterinsights. views. list
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container. certificateSigningRequests. list
container. clusterRoleBindings. list
container.clusterRoles.list
container.clusters.list
container. componentStatuses. list
container.configMaps.list
container. controllerRevisions. list
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container. customResourceDefinitions. list
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container. horizontalPodAutoscalers. list
container.ingresses.list
container. initializerConfigurations. list
container.jobs.list
container.leases.list
container.limitRanges.list
container. localSubjectAccessReviews. list
container. managedCertificates. list
container. mutatingWebhookConfigurations. list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container. persistentVolumeClaims. list
container. persistentVolumes. list
container.petSets.list
container. podDisruptionBudgets. list
container.podPresets.list
container. podSecurityPolicies. list
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container. replicationControllers. list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container. selfSubjectAccessReviews. list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container. storageVersionMigrations. list
container. subjectAccessReviews. list
container. thirdPartyObjects. list
container. thirdPartyResources. list
container.updateInfos.list
container. validatingWebhookConfigurations. list
container. volumeAttachments. list
container. volumeSnapshotClasses. list
container. volumeSnapshotContents. list
container.volumeSnapshots.list
containeranalysis. notes. getIamPolicy
containeranalysis.notes.list
containeranalysis. occurrences. getIamPolicy
containeranalysis. occurrences. list
containersecurity. clusterSummaries. list
containersecurity. findings. list
containersecurity. locations. list
contentwarehouse.corpora.list
contentwarehouse. documentSchemas. list
contentwarehouse. documents. getIamPolicy
contentwarehouse. documents. list
contentwarehouse.ruleSets.list
contentwarehouse. synonymSets. list
databasecenter.*
databaseinsights. locations. list
datacatalog. categories. getIamPolicy
datacatalog. entries. getIamPolicy
datacatalog.entries.list
datacatalog. entryGroups. getIamPolicy
datacatalog.entryGroups.list
datacatalog.operations.list
datacatalog.relationships.list
datacatalog. tagTemplates. getIamPolicy
datacatalog. taxonomies. getIamPolicy
datacatalog.taxonomies.list
dataconnectors. connectors. getIamPolicy
dataconnectors.connectors.list
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.list
dataflow.snapshots.list
dataform. compilationResults. list
dataform.locations.list
dataform.releaseConfigs.list
dataform. repositories. getIamPolicy
dataform.repositories.list
dataform.workflowConfigs.list
dataform. workflowInvocations. list
dataform. workspaces. getIamPolicy
dataform.workspaces.list
datafusion.artifacts.list
datafusion. instances. getIamPolicy
datafusion.instances.list
datafusion.locations.list
datafusion.operations.list
datafusion. pipelineConnections. list
datafusion.pipelines.list
datafusion.profiles.list
datafusion.secureKeys.list
datalabeling. annotateddatasets. list
datalabeling. annotationspecsets. list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datalineage.events.list
datalineage.processes.list
datalineage.runs.list
datamigration. connectionprofiles. getIamPolicy
datamigration. connectionprofiles. list
datamigration. conversionworkspaces. getIamPolicy
datamigration. conversionworkspaces. list
datamigration.locations.list
datamigration. mappingrules. getIamPolicy
datamigration. migrationjobs. getIamPolicy
datamigration. migrationjobs. list
datamigration.objects.list
datamigration.operations.list
datamigration. privateconnections. getIamPolicy
datamigration. privateconnections. list
datapipelines.jobs.list
datapipelines.pipelines.list
dataplex. aspectTypes. getIamPolicy
dataplex.aspectTypes.list
dataplex.assetActions.list
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.getIamPolicy
dataplex.content.list
dataplex. dataAttributeBindings. getIamPolicy
dataplex. dataAttributeBindings. list
dataplex. dataAttributes. getIamPolicy
dataplex.dataAttributes.list
dataplex. dataTaxonomies. getIamPolicy
dataplex.dataTaxonomies.list
dataplex. datascans. getIamPolicy
dataplex.datascans.list
dataplex.encryptionConfig.list
dataplex.entities.list
dataplex.entries.list
dataplex. entryGroups. getIamPolicy
dataplex.entryGroups.list
dataplex. entryTypes. getIamPolicy
dataplex.entryTypes.list
dataplex. environments. getIamPolicy
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.locations.list
dataplex.metadataJobs.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.getIamPolicy
dataplex.zones.list
dataproc.agents.list
dataproc. autoscalingPolicies. getIamPolicy
dataproc. autoscalingPolicies. list
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc. operations. getIamPolicy
dataproc.operations.list
dataproc.sessionTemplates.list
dataproc.sessions.list
dataproc. workflowTemplates. getIamPolicy
dataproc. workflowTemplates. list
dataprocessing. datasources. list
dataprocessing. featurecontrols. list
dataprocessing. groupcontrols. list
dataprocrm.locations.list
dataprocrm.nodePools.list
dataprocrm.nodes.list
dataprocrm.operations.list
dataprocrm.workloads.list
datastore.backupSchedules.list
datastore.backups.list
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore. keyVisualizerScans. list
datastore.locations.list
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
datastream. connectionProfiles. getIamPolicy
datastream. connectionProfiles. list
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream. privateConnections. getIamPolicy
datastream. privateConnections. list
datastream.routes.getIamPolicy
datastream.routes.list
datastream. streams. getIamPolicy
datastream.streams.list
datastudio. datasources. getIamPolicy
datastudio. reports. getIamPolicy
datastudio. workspaces. getIamPolicy
deploymentmanager. compositeTypes. list
deploymentmanager. deployments. getIamPolicy
deploymentmanager. deployments. list
deploymentmanager. manifests. list
deploymentmanager. operations. list
deploymentmanager. resources. list
deploymentmanager. typeProviders. list
deploymentmanager.types.list
developerconnect. connections. list
developerconnect. gitRepositoryLinks. list
developerconnect. locations. list
developerconnect. operations. list
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow. conversationDatasets. list
dialogflow. conversationModels. list
dialogflow. conversationProfiles. list
dialogflow.conversations.list
dialogflow.deployments.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.examples.list
dialogflow.experiments.list
dialogflow.flows.list
dialogflow.generators.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow. modelEvaluations. list
dialogflow.pages.list
dialogflow.participants.list
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.list
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes. list
dialogflow. smartMessagingEntries. list
dialogflow.testcases.list
dialogflow.tools.list
dialogflow. transitionRouteGroups. list
dialogflow.versions.list
dialogflow.webhooks.list
discoveryengine.branches.list
discoveryengine. cmekConfigs. list
discoveryengine. collections. list
discoveryengine.controls.list
discoveryengine. conversations. list
discoveryengine. dataStores. list
discoveryengine.documents.list
discoveryengine.engines.list
discoveryengine. evaluations. list
discoveryengine.models.list
discoveryengine. operations. list
discoveryengine. sampleQueries. list
discoveryengine. sampleQuerySets. list
discoveryengine.schemas.list
discoveryengine. servingConfigs. list
discoveryengine.sessions.list
discoveryengine. targetSites. list
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.connections.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.fileStoreProfiles.list
dlp.inspectFindings.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.subscriptions.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai. dataLabelingJobs. list
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai. processorVersions. list
documentai.processors.list
domains.locations.list
domains.operations.list
domains. registrations. getIamPolicy
domains.registrations.list
earthengine. assets. getIamPolicy
earthengine.assets.list
earthengine.operations.list
edgecontainer. clusters. getIamPolicy
edgecontainer.clusters.list
edgecontainer.locations.list
edgecontainer. machines. getIamPolicy
edgecontainer.machines.list
edgecontainer. nodePools. getIamPolicy
edgecontainer.nodePools.list
edgecontainer.operations.list
edgecontainer. vpnConnections. getIamPolicy
edgecontainer. vpnConnections. list
edgenetwork. interconnectAttachments. getIamPolicy
edgenetwork. interconnectAttachments. list
edgenetwork. interconnects. getIamPolicy
edgenetwork.interconnects.list
edgenetwork.locations.list
edgenetwork. networks. getIamPolicy
edgenetwork.networks.list
edgenetwork.operations.list
edgenetwork. routers. getIamPolicy
edgenetwork.routers.list
edgenetwork.routes.list
edgenetwork. subnetworks. getIamPolicy
edgenetwork.subnetworks.list
edgenetwork.zones.list
enterpriseknowledgegraph. entityReconciliationJobs. list
enterprisepurchasing. gcveCuds. list
enterprisepurchasing. gcveNodePricingInfo. list
enterprisepurchasing. locations. list
enterprisepurchasing. operations. list
errorreporting. applications. list
errorreporting. errorEvents. list
errorreporting.groups.list
essentialcontacts. contacts. list
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc.locations.list
eventarc. messageBuses. getIamPolicy
eventarc.messageBuses.list
eventarc.operations.list
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.deliverydata.list
file.backups.list
file.instances.list
file.locations.list
file.operations.list
financialservices. locations. list
financialservices. operations. list
financialservices. v1backtests. list
financialservices. v1datasets. list
financialservices. v1engineconfigs. list
financialservices. v1engineversions. list
financialservices. v1instances. list
financialservices. v1models. list
financialservices. v1predictions. list
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro. releases. list
firebaseappdistro.testers.list
firebasecrashlytics. issues. list
firebasedatabase. instances. list
firebasedataconnect. connectorRevisions. list
firebasedataconnect. connectors. list
firebasedataconnect. locations. list
firebasedataconnect. operations. list
firebasedataconnect. schemaRevisions. list
firebasedataconnect. schemas. list
firebasedataconnect. services. list
firebasedynamiclinks. destinations. list
firebasedynamiclinks. domains. list
firebasedynamiclinks. links. list
firebaseextensions. configs. list
firebaseextensionspublisher. extensions. list
firebasehosting.sites.list
firebaseinappmessaging. campaigns. list
firebasemessagingcampaigns. campaigns. list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications. messages. list
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine. deliveryvehicles. list
fleetengine.tasks.list
fleetengine.vehicles.list
gcp.redisenterprise. com/databases. list
gcp.redisenterprise. com/subscriptions. list
gdchardwaremanagement. changeLogEntries. list
gdchardwaremanagement. comments. list
gdchardwaremanagement. hardware. list
gdchardwaremanagement. hardwareGroups. list
gdchardwaremanagement. locations. list
gdchardwaremanagement. operations. list
gdchardwaremanagement. orders. list
gdchardwaremanagement. sites. list
gdchardwaremanagement. skus. list
gdchardwaremanagement. zones. list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
gkebackup. backupPlans. getIamPolicy
gkebackup.backupPlans.list
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup. restorePlans. getIamPolicy
gkebackup.restorePlans.list
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.locations.list
gkehub.membershipbindings.list
gkehub.membershipfeatures.list
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub.namespaces.list
gkehub.operations.list
gkehub.rbacrolebindings.list
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkemulticloud. attachedClusters. list
gkemulticloud.awsClusters.list
gkemulticloud. awsNodePools. list
gkemulticloud. azureClients. list
gkemulticloud. azureClusters. list
gkemulticloud. azureNodePools. list
gkemulticloud.operations.list
gkeonprem. bareMetalAdminClusters. getIamPolicy
gkeonprem. bareMetalAdminClusters. list
gkeonprem. bareMetalClusters. getIamPolicy
gkeonprem. bareMetalClusters. list
gkeonprem. bareMetalNodePools. getIamPolicy
gkeonprem. bareMetalNodePools. list
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem. vmwareAdminClusters. getIamPolicy
gkeonprem. vmwareAdminClusters. list
gkeonprem. vmwareClusters. getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem. vmwareNodePools. getIamPolicy
gkeonprem.vmwareNodePools.list
gsuiteaddons.deployments.list
healthcare. annotationStores. getIamPolicy
healthcare. annotationStores. list
healthcare.annotations.list
healthcare. attributeDefinitions. list
healthcare. consentArtifacts. list
healthcare. consentStores. getIamPolicy
healthcare.consentStores.list
healthcare.consents.list
healthcare. datasets. getIamPolicy
healthcare.datasets.list
healthcare. dicomStores. getIamPolicy
healthcare.dicomStores.list
healthcare. fhirStores. getIamPolicy
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare. hl7V2Stores. getIamPolicy
healthcare.hl7V2Stores.list
healthcare.locations.list
healthcare.operations.list
healthcare. userDataMappings. list
iam.denypolicies.list
iam.googleapis. com/oauthClientCredentials. list
iam.googleapis. com/oauthClients. list
iam.googleapis. com/workforcePoolProviderKeys. list
iam.googleapis. com/workforcePoolProviders. list
iam.googleapis. com/workforcePools. getIamPolicy
iam.googleapis. com/workforcePools. list
iam.googleapis. com/workloadIdentityPoolProviderKeys. list
iam.googleapis. com/workloadIdentityPoolProviders. list
iam.googleapis. com/workloadIdentityPools. list
iam.policybindings.list
iam. principalaccessboundarypolicies. list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam. serviceAccounts. getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap. tunnelDestGroups. getIamPolicy
iap.tunnelDestGroups.list
iap. tunnelInstances. getIamPolicy
iap. tunnelLocations. getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap. webServiceVersions. getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
identitytoolkit. tenants. getIamPolicy
identitytoolkit.tenants.list
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.list
ids.operations.list
integrations. apigeeAuthConfigs. list
integrations. apigeeCertificates. list
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations. list
integrations. apigeeSfdcChannels. list
integrations. apigeeSfdcInstances. list
integrations. apigeeSuspensions. list
integrations.authConfigs.list
integrations.certificates.list
integrations.executions.list
integrations. integrationVersions. list
integrations.integrations.list
integrations. securityAuthConfigs. list
integrations. securityExecutions. list
integrations. securityIntegTempVers. list
integrations. securityIntegrationVers. list
integrations. securityIntegrations. list
integrations.sfdcChannels.list
integrations. sfdcInstances. list
integrations.suspensions.list
integrations.testCases.list
issuerswitch. accountManagerTransactions. list
issuerswitch. complaintTransactions. list
issuerswitch. financialTransactions. list
issuerswitch. mandateTransactions. list
issuerswitch. metadataTransactions. list
issuerswitch.operations.list
issuerswitch.ruleMetadata.list
issuerswitch. ruleMetadataValues. list
issuerswitch.rules.list
krmapihosting. krmApiHosts. getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.locations.list
krmapihosting.operations.list
licensemanager. configurations. list
licensemanager.instances.list
licensemanager.locations.list
licensemanager.operations.list
licensemanager.products.list
lifesciences.operations.list
livestream.assets.list
livestream.channels.list
livestream.clips.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.links.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.list
logging.queries.usePrivate
logging.sinks.list
logging.views.getIamPolicy
logging.views.list
looker.backups.list
looker.instances.list
looker.locations.list
looker.operations.list
managedflink.deployments.list
managedflink.jobs.list
managedflink.locations.list
managedflink.operations.list
managedflink.sessions.list
managedidentities. backups. getIamPolicy
managedidentities.backups.list
managedidentities. domains. getIamPolicy
managedidentities.domains.list
managedidentities. locations. list
managedidentities. operations. list
managedidentities. peerings. getIamPolicy
managedidentities. peerings. list
managedidentities. sqlintegrations. list
managedkafka.clusters.list
managedkafka. consumerGroups. list
managedkafka.locations.list
managedkafka.operations.list
managedkafka.topics.list
mapsadmin.clientMaps.list
mapsadmin. clientStyleSheetSnapshots. list
mapsadmin.clientStyles.list
mapsadmin.styleSnapshots.list
mapsanalytics. metricMetadata. list
mapsplatformdatasets. datasets. list
marketplacesolutions. locations. list
marketplacesolutions. operations. list
marketplacesolutions. powerImages. list
marketplacesolutions. powerInstances. list
marketplacesolutions. powerNetworks. list
marketplacesolutions. powerSshKeys. list
marketplacesolutions. powerVolumes. list
memcache.instances.list
memcache.locations.list
memcache.operations.list
memorystore.instances.list
memorystore.locations.list
memorystore.operations.list
metastore.backups.getIamPolicy
metastore.backups.list
metastore. databases. getIamPolicy
metastore.databases.list
metastore. federations. getIamPolicy
metastore.federations.list
metastore.imports.list
metastore.locations.list
metastore.migrations.list
metastore.operations.list
metastore. services. getIamPolicy
metastore.services.list
metastore.tables.getIamPolicy
metastore.tables.list
migrationcenter.assets.list
migrationcenter. discoveryClients. list
migrationcenter. errorFrames. list
migrationcenter.groups.list
migrationcenter. importDataFiles. list
migrationcenter. importJobs. list
migrationcenter.locations.list
migrationcenter. operations. list
migrationcenter. preferenceSets. list
migrationcenter.relations.list
migrationcenter. reportConfigs. list
migrationcenter.reports.list
migrationcenter.sources.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors. list
monitoring. notificationChannelDescriptors. list
monitoring. notificationChannels. list
monitoring.services.list
monitoring.slos.list
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring. uptimeCheckConfigs. list
netapp.activeDirectories.list
netapp.backupPolicies.list
netapp.backupVaults.list
netapp.backups.list
netapp.kmsConfigs.list
netapp.locations.list
netapp.operations.list
netapp.replications.list
netapp.snapshots.list
netapp.storagePools.list
netapp.volumes.list
networkconnectivity. groups. getIamPolicy
networkconnectivity. groups. list
networkconnectivity. hubRouteTables. getIamPolicy
networkconnectivity. hubRouteTables. list
networkconnectivity. hubRoutes. getIamPolicy
networkconnectivity. hubRoutes. list
networkconnectivity. hubs. getIamPolicy
networkconnectivity.hubs.list
networkconnectivity. internalRanges. getIamPolicy
networkconnectivity. internalRanges. list
networkconnectivity. locations. list
networkconnectivity. operations. list
networkconnectivity. policyBasedRoutes. getIamPolicy
networkconnectivity. policyBasedRoutes. list
networkconnectivity. regionalEndpoints. list
networkconnectivity. serviceClasses. list
networkconnectivity. serviceConnectionMaps. list
networkconnectivity. serviceConnectionPolicies. list
networkconnectivity. spokes. getIamPolicy
networkconnectivity. spokes. list
networkmanagement. connectivitytests. getIamPolicy
networkmanagement. connectivitytests. list
networkmanagement. locations. list
networkmanagement. operations. list
networkmanagement. vpcflowlogsconfigs. list
networksecurity. addressGroups. getIamPolicy
networksecurity. addressGroups. list
networksecurity. authorizationPolicies. getIamPolicy
networksecurity. authorizationPolicies. list
networksecurity. authzPolicies. getIamPolicy
networksecurity. authzPolicies. list
networksecurity. clientTlsPolicies. getIamPolicy
networksecurity. clientTlsPolicies. list
networksecurity. firewallEndpointAssociations. list
networksecurity. firewallEndpoints. list
networksecurity. gatewaySecurityPolicies. list
networksecurity. gatewaySecurityPolicyRules. list
networksecurity. interceptDeploymentGroups. list
networksecurity. interceptDeployments. list
networksecurity. interceptEndpointGroupAssociations. list
networksecurity. interceptEndpointGroups. list
networksecurity.locations.list
networksecurity. mirroringDeploymentGroups. list
networksecurity. mirroringDeployments. list
networksecurity. mirroringEndpointGroupAssociations. list
networksecurity. mirroringEndpointGroups. list
networksecurity. operations. list
networksecurity. securityProfileGroups. list
networksecurity. securityProfiles. list
networksecurity. serverTlsPolicies. getIamPolicy
networksecurity. serverTlsPolicies. list
networksecurity. tlsInspectionPolicies. list
networksecurity.urlLists.list
networkservices. authzExtensions. list
networkservices. endpointPolicies. list
networkservices.gateways.list
networkservices. grpcRoutes. list
networkservices. httpFilters. list
networkservices. httpRoutes. list
networkservices. httpfilters. getIamPolicy
networkservices. httpfilters. list
networkservices. lbRouteExtensions. list
networkservices. lbTrafficExtensions. list
networkservices.locations.list
networkservices.meshes.list
networkservices. operations. list
networkservices. route_views. list
networkservices. serviceBindings. list
networkservices. serviceLbPolicies. list
networkservices.tcpRoutes.list
networkservices.tlsRoutes.list
networkservices. wasmPlugins. list
notebooks. environments. getIamPolicy
notebooks.environments.list
notebooks. executions. getIamPolicy
notebooks.executions.list
notebooks. instances. getIamPolicy
notebooks.instances.list
notebooks.locations.list
notebooks.operations.list
notebooks. runtimes. getIamPolicy
notebooks.runtimes.list
notebooks. schedules. getIamPolicy
notebooks.schedules.list
observability. analyticsViews. list
ondemandscanning. operations. list
opsconfigmonitoring. resourceMetadata. list
oracledatabase. autonomousDatabaseBackups. list
oracledatabase. autonomousDatabaseCharacterSets. list
oracledatabase. autonomousDatabases. list
oracledatabase. autonomousDbVersions. list
oracledatabase. cloudExadataInfrastructures. list
oracledatabase. cloudVmClusters. list
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase. dbSystemShapes. list
oracledatabase. entitlements. list
oracledatabase.giVersions.list
oracledatabase.locations.list
oracledatabase.operations.list
orgpolicy.constraints.list
orgpolicy. customConstraints. list
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig. instanceOSPoliciesCompliances. list
osconfig.inventories.list
osconfig.locations.list
osconfig.operations.list
osconfig. osPolicyAssignmentReports. list
osconfig. osPolicyAssignments. list
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig. policyOrchestrators. list
osconfig.upgradeReports.list
osconfig. vulnerabilityReports. list
parallelstore.instances.list
parallelstore.locations.list
parallelstore.operations.list
parametermanager. locations. list
parametermanager. parameterVersions. list
parametermanager. parameters. list
paymentsresellersubscription. products. list
paymentsresellersubscription. promotions. list
policyremediatormanager. locations. list
policyremediatormanager. operations. list
policysimulator. accessPolicySimulationResults. list
policysimulator. accessPolicySimulations. list
policysimulator. orgPolicyViolations. list
policysimulator. orgPolicyViolationsPreviews. list
policysimulator. replayResults. list
policysimulator.replays.list
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca. certificateAuthorities. getIamPolicy
privateca. certificateAuthorities. list
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca. certificateTemplates. getIamPolicy
privateca. certificateTemplates. list
privateca. certificates. getIamPolicy
privateca.certificates.list
privateca.locations.list
privateca.operations.list
privateca. reusableConfigs. getIamPolicy
privateca.reusableConfigs.list
privilegedaccessmanager. entitlements. list
privilegedaccessmanager. grants. list
privilegedaccessmanager. locations. list
privilegedaccessmanager. operations. list
proximitybeacon. attachments. list
proximitybeacon. beacons. getIamPolicy
proximitybeacon.beacons.list
proximitybeacon. namespaces. getIamPolicy
proximitybeacon. namespaces. list
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub. subscriptions. getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise. firewallpolicies. list
recaptchaenterprise.keys.list
recaptchaenterprise. relatedaccountgroupmemberships. list
recaptchaenterprise. relatedaccountgroups. list
recommender. alloydbClusterPerformanceInsights. list
recommender. alloydbClusterPerformanceRecommendations. list
recommender. alloydbClusterReliabilityInsights. list
recommender. alloydbClusterReliabilityRecommendations. list
recommender. alloydbInstanceSecurityInsights. list
recommender. alloydbInstanceSecurityRecommendations. list
recommender. bigqueryCapacityCommitmentsInsights. list
recommender. bigqueryCapacityCommitmentsRecommendations. list
recommender. bigqueryMaterializedViewInsights. list
recommender. bigqueryMaterializedViewRecommendations. list
recommender. bigqueryPartitionClusterRecommendations. list
recommender. bigqueryTableStatsInsights. list
recommender. cloudAssetInsights. list
recommender. cloudCostGeneralInsights. list
recommender. cloudCostGeneralRecommendations. list
recommender. cloudDeprecationGeneralInsights. list
recommender. cloudDeprecationGeneralRecommendations. list
recommender. cloudFunctionsPerformanceInsights. list
recommender. cloudFunctionsPerformanceRecommendations. list
recommender. cloudManageabilityGeneralInsights. list
recommender. cloudManageabilityGeneralRecommendations. list
recommender. cloudPerformanceGeneralInsights. list
recommender. cloudPerformanceGeneralRecommendations. list
recommender. cloudRecentChangeInsights. list
recommender. cloudRecentChangeRecommendations. list
recommender. cloudReliabilityGeneralInsights. list
recommender. cloudReliabilityGeneralRecommendations. list
recommender. cloudSecurityGeneralInsights. list
recommender. cloudSecurityGeneralRecommendations. list
recommender. cloudsqlIdleInstanceRecommendations. list
recommender. cloudsqlInstanceActivityInsights. list
recommender. cloudsqlInstanceCpuUsageInsights. list
recommender. cloudsqlInstanceDiskUsageTrendInsights. list
recommender. cloudsqlInstanceMemoryUsageInsights. list
recommender. cloudsqlInstanceOomProbabilityInsights. list
recommender. cloudsqlInstanceOutOfDiskRecommendations. list
recommender. cloudsqlInstancePerformanceInsights. list
recommender. cloudsqlInstancePerformanceRecommendations. list
recommender. cloudsqlInstanceReliabilityInsights. list
recommender. cloudsqlInstanceReliabilityRecommendations. list
recommender. cloudsqlInstanceSecurityInsights. list
recommender. cloudsqlInstanceSecurityRecommendations. list
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. list
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. list
recommender. cloudsqlOverprovisionedInstanceRecommendations. list
recommender. cloudsqlUnderProvisionedInstanceRecommendations. list
recommender. commitmentUtilizationInsights. list
recommender. computeAddressIdleResourceInsights. list
recommender. computeAddressIdleResourceRecommendations. list
recommender. computeDiskIdleResourceInsights. list
recommender. computeDiskIdleResourceRecommendations. list
recommender. computeFirewallInsights. list
recommender. computeImageIdleResourceInsights. list
recommender. computeImageIdleResourceRecommendations. list
recommender. computeInstanceCpuUsageInsights. list
recommender. computeInstanceCpuUsagePredictionInsights. list
recommender. computeInstanceCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerCpuUsageInsights. list
recommender. computeInstanceGroupManagerCpuUsagePredictionInsights. list
recommender. computeInstanceGroupManagerCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerMachineTypeRecommendations. list
recommender. computeInstanceGroupManagerMemoryUsageInsights. list
recommender. computeInstanceGroupManagerMemoryUsagePredictionInsights. list
recommender. computeInstanceIdleResourceRecommendations. list
recommender. computeInstanceMachineTypeRecommendations. list
recommender. computeInstanceMemoryUsageInsights. list
recommender. computeInstanceMemoryUsagePredictionInsights. list
recommender. computeInstanceNetworkThroughputInsights. list
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisRecommendations. list
recommender.costInsights.list
recommender. dataflowDiagnosticsInsights. list
recommender. errorReportingInsights. list
recommender. errorReportingRecommendations. list
recommender. firestoreDatabaseReliabilityInsights. list
recommender. firestoreDatabaseReliabilityRecommendations. list
recommender. gmpGuidedExperienceInsights. list
recommender. gmpGuidedExperienceRecommendations. list
recommender. gmpProjectManagementInsights. list
recommender. gmpProjectManagementRecommendations. list
recommender. gmpProjectProductSuggestionsInsights. list
recommender. gmpProjectProductSuggestionsRecommendations. list
recommender. iamPolicyChangeRiskInsights. list
recommender. iamPolicyChangeRiskRecommendations. list
recommender. iamPolicyInsights. list
recommender. iamPolicyLateralMovementInsights. list
recommender. iamPolicyRecommendations. list
recommender. iamServiceAccountChangeRiskInsights. list
recommender. iamServiceAccountChangeRiskRecommendations. list
recommender. iamServiceAccountInsights. list
recommender.locations.list
recommender. loggingProductSuggestionContainerInsights. list
recommender. loggingProductSuggestionContainerRecommendations. list
recommender. monitoringProductSuggestionComputeInsights. list
recommender. monitoringProductSuggestionComputeRecommendations. list
recommender. networkAnalyzerCloudSqlInsights. list
recommender. networkAnalyzerDynamicRouteInsights. list
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. list
recommender. networkAnalyzerGkeServiceAccountInsights. list
recommender. networkAnalyzerIpAddressInsights. list
recommender. networkAnalyzerLoadBalancerInsights. list
recommender. networkAnalyzerVpcConnectivityInsights. list
recommender. orgPolicyInsights. list
recommender. orgPolicyRecommendations. list
recommender. resourcemanagerProjectChangeRiskInsights. list
recommender. resourcemanagerProjectChangeRiskRecommendations. list
recommender. resourcemanagerProjectUtilizationInsights. list
recommender. resourcemanagerProjectUtilizationRecommendations. list
recommender. resourcemanagerServiceLimitInsights. list
recommender. resourcemanagerServiceLimitRecommendations. list
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. list
recommender. spannerProjectReliabilityInsights. list
recommender. spannerProjectReliabilityRecommendations. list
recommender. spendBasedCommitmentInsights. list
recommender. spendBasedCommitmentRecommendations. list
recommender. storageBucketSoftDeleteInsights. list
recommender. storageBucketSoftDeleteRecommendations. list
recommender. usageCommitmentRecommendations. list
redis.backupCollections.list
redis.backups.list
redis.clusters.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution. instances. list
remotebuildexecution. workerpools. list
resourcemanager. folders. getIamPolicy
resourcemanager.folders.list
resourcemanager. hierarchyNodes. listTagBindings
resourcemanager. organizations. getIamPolicy
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager.tagHolds.list
resourcemanager. tagKeys. getIamPolicy
resourcemanager.tagKeys.list
resourcemanager. tagValues. getIamPolicy
resourcemanager.tagValues.list
resourcesettings.settings.list
retail.branches.list
retail.catalogs.list
retail.controls.list
retail.experiments.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager. controlScoreBreakdowns. list
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
rma.collectors.list
rma.locations.list
rma.operations.list
run.configurations.list
run.executions.list
run.jobs.getIamPolicy
run.jobs.list
run.locations.list
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.tasks.list
runapps.applications.list
runapps.deployments.list
runapps.locations.list
runapps.operations.list
runtimeconfig. configs. getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig. variables. getIamPolicy
runtimeconfig.variables.list
runtimeconfig. waiters. getIamPolicy
runtimeconfig.waiters.list
secretmanager.locations.list
secretmanager. secrets. getIamPolicy
secretmanager.secrets.list
secretmanager.versions.list
securedlandingzone. overwatches. list
securesourcemanager. branchRules. list
securesourcemanager. instances. getIamPolicy
securesourcemanager. instances. list
securesourcemanager. locations. list
securesourcemanager. operations. list
securesourcemanager. repositories. getIamPolicy
securesourcemanager. repositories. list
securesourcemanager. sshkeys. list
securitycenter.assets.list
securitycenter. attackpaths. list
securitycenter. bigQueryExports. list
securitycenter. compliancesnapshots. list
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter.findings.list
securitycenter. muteconfigs. list
securitycenter. notificationconfig. list
securitycenter. resourcevalueconfigs. list
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. valuedresources. list
securitycenter. vulnerabilitysnapshots. list
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securityposture.locations.list
securityposture. operations. list
securityposture. postureDeployments. list
securityposture. postureTemplates. list
securityposture.postures.list
securityposture.reports.list
servicebroker. bindingoperations. list
servicebroker. bindings. getIamPolicy
servicebroker.bindings.list
servicebroker. catalogs. getIamPolicy
servicebroker.catalogs.list
servicebroker. instanceoperations. list
servicebroker. instances. getIamPolicy
servicebroker.instances.list
serviceconsumermanagement. tenancyu. list
servicedirectory. endpoints. getIamPolicy
servicedirectory. endpoints. list
servicedirectory. locations. list
servicedirectory. namespaces. getIamPolicy
servicedirectory. namespaces. list
servicedirectory. services. getIamPolicy
servicedirectory.services.list
servicehealth.events.list
servicehealth.locations.list
servicehealth. organizationEvents. list
servicehealth. organizationImpacts. list
servicemanagement. services. getIamPolicy
servicemanagement. services. list
servicenetworking. operations. list
servicesecurityinsights. clusterSecurityInfo. list
servicesecurityinsights. securityInfo. list
servicesecurityinsights. workloadPolicies. list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.backupOperations.list
spanner. backupSchedules. getIamPolicy
spanner.backupSchedules.list
spanner.backups.getIamPolicy
spanner.backups.list
spanner. databaseOperations. list
spanner.databaseRoles.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner. instanceConfigOperations. list
spanner.instanceConfigs.list
spanner. instanceOperations. list
spanner. instancePartitionOperations. list
spanner. instancePartitions. list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
speakerid.phrases.list
speakerid.speakers.list
speech.customClasses.list
speech.locations.list
speech.operations.list
speech.phraseSets.list
speech.recognizers.list
stackdriver. resourceMetadata. list
storage.anywhereCaches.list
storage.bucketOperations.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.folders.list
storage.hmacKeys.list
storage. managedFolders. getIamPolicy
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storageinsights. datasetConfigs. list
storageinsights.locations.list
storageinsights. operations. list
storageinsights. reportConfigs. list
storageinsights. reportDetails. list
storagetransfer. agentpools. list
storagetransfer.jobs.list
storagetransfer. operations. list
stream.locations.list
stream.operations.list
stream.streamContents.list
stream.streamInstances.list
telcoautomation. blueprints. list
telcoautomation. deployments. list
telcoautomation.edgeSlms.list
telcoautomation. hydratedDeployments. list
telcoautomation.locations.list
telcoautomation. operations. list
telcoautomation. orchestrationClusters. list
telcoautomation. publicBlueprints. list
timeseriesinsights. datasets. list
timeseriesinsights. locations. list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.runtimeversions.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
transferappliance. appliances. list
transferappliance. locations. list
transferappliance. operations. list
transferappliance.orders.list
transferappliance. savedAddresses. list
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher. liveAdTagDetails. list
videostitcher.liveConfigs.list
videostitcher.operations.list
videostitcher.slates.list
videostitcher. vodAdTagDetails. list
videostitcher.vodConfigs.list
videostitcher. vodStitchDetails. list
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.annotations.list
visionai.applications.list
visionai.assets.list
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.corpora.list
visionai.dataSchemas.list
visionai.drafts.list
visionai.events.getIamPolicy
visionai.events.list
visionai.indexEndpoints.list
visionai.indexes.list
visionai.instances.list
visionai.locations.list
visionai.operations.list
visionai. operators. getIamPolicy
visionai.operators.list
visionai.processors.list
visionai.searchConfigs.list
visionai.series.getIamPolicy
visionai.series.list
visionai.streams.getIamPolicy
visionai.streams.list
visionai.uistreams.list
visualinspection. annotationSets. list
visualinspection. annotationSpecs. list
visualinspection. annotations. list
visualinspection.datasets.list
visualinspection.images.list
visualinspection. locations. list
visualinspection. modelEvaluations. list
visualinspection.models.list
visualinspection.modules.list
visualinspection. operations. list
visualinspection. solutionArtifacts. list
visualinspection. solutions. list
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration. datacenterConnectors. list
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration. replicationCycles. list
vmmigration.sources.list
vmmigration.targets.list
vmmigration. utilizationReports. list
vmwareengine. clusters. getIamPolicy
vmwareengine.clusters.list
vmwareengine. externalAccessRules. list
vmwareengine. externalAddresses. list
vmwareengine. hcxActivationKeys. getIamPolicy
vmwareengine. hcxActivationKeys. list
vmwareengine.locations.list
vmwareengine. loggingServers. list
vmwareengine. managementDnsZoneBindings. list
vmwareengine. networkPeerings. list
vmwareengine. networkPolicies. list
vmwareengine.nodeTypes.list
vmwareengine.nodes.list
vmwareengine.operations.list
vmwareengine. privateClouds. getIamPolicy
vmwareengine. privateClouds. list
vmwareengine. privateConnections. list
vmwareengine.subnets.list
vmwareengine. vmwareEngineNetworks. list
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.list
workflows.callbacks.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.stepEntries.list
workflows.workflows.list
workloadcertificate. locations. list
workloadcertificate. operations. list
workloadcertificate. workloadRegistrations. list
workloadmanager. actuations. list
workloadmanager. deployments. list
workloadmanager. discoveredprofiles. list
workloadmanager. evaluations. list
workloadmanager. executions. list
workloadmanager.locations.list
workloadmanager. operations. list
workloadmanager.results.list
workloadmanager.rules.list
workstations. workstationClusters. list
workstations. workstationConfigs. getIamPolicy
workstations. workstationConfigs. list
workstations. workstations. getIamPolicy
workstations.workstations.list
Workspace Pool IAM Admin
Beta
(roles/ iam.workspacePoolAdmin
)
IAM workspace pool admin able to bind IAM policies to Dasher accounts.
iam.workspacePools.*
Infrastructure Manager roles
Permissions
Cloud Infrastructure Manager Admin
Beta
(roles/ config.admin
)
Full access to Cloud Infrastructure Manager resources.
config.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Infrastructure Manager Agent
Beta
(roles/ config.agent
)
Required permissions to make Cloud Infrastructure Manager work with the user-specified service account
cloudbuild.connections.list
cloudbuild. repositories. accessReadToken
cloudbuild.repositories.list
cloudquotas.quotas.get
config.artifacts.import
config.deployments.deleteState
config.deployments.getLock
config.deployments.getState
config.deployments.updateState
config.previews.upload
config.revisions.getState
logging.logEntries.create
monitoring.timeSeries.list
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Infrastructure Manager Viewer
Beta
(roles/ config.viewer
)
Read-only access to Cloud Infrastructure Manager resources.
config.deployments.get
config. deployments. getIamPolicy
config.deployments.list
config.locations.*
config.operations.get
config.operations.list
config.previews.get
config.previews.list
config.resources.*
config.revisions.get
config.revisions.list
config.terraformversions.*
resourcemanager.projects.get
resourcemanager.projects.list
KRM API Hosting roles
Permissions
Config Controller Admin
(roles/ krmapihosting.admin
)
Full access to all Config Controller resources.
krmapihosting.*
resourcemanager.projects.get
resourcemanager.projects.list
Config Controller Viewer
(roles/ krmapihosting.viewer
)
Read-only access to all Config Controller resources.
krmapihosting.krmApiHosts.get
krmapihosting. krmApiHosts. getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.locations.*
krmapihosting.operations.get
krmapihosting.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine roles
Permissions
Kubernetes Engine Admin
(roles/ container.admin
)
Provides access to full management of clusters and their
Kubernetes API objects.
To set a service account on nodes, you must also have the Service Account User role
(roles/iam.serviceAccountUser
) on the
user-managed
service account that your nodes will use .
Lowest-level resources where you can grant this role:
container.*
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine KMS Crypto Key User
(roles/ container.cloudKmsKeyUser
)
Allow the Kubernetes Engine service agent in the cluster project to call KMS with user provided crypto keys to sign payloads.
cloudkms.cryptoKeyVersions.get
cloudkms. cryptoKeyVersions. useToSign
cloudkms. cryptoKeyVersions. useToVerify
cloudkms. cryptoKeyVersions. viewPublicKey
cloudkms.cryptoKeys.get
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Kubernetes Engine Cluster Admin
(roles/ container.clusterAdmin
)
Provides access to management of clusters.
To set a service account on nodes, you must also have the Service Account User role
(roles/iam.serviceAccountUser
) on the
user-managed
service account that your nodes will use .
Lowest-level resources where you can grant this role:
container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Cluster Viewer
(roles/ container.clusterViewer
)
Provides access to get and list GKE clusters.
container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Default Node Service Account
(roles/ container.defaultNodeServiceAccount
)
Least privilege role to use as the default service account for GKE Nodes.
autoscaling.sites.writeMetrics
logging.logEntries.create
monitoring. metricDescriptors. create
monitoring. metricDescriptors. list
monitoring.timeSeries.*
Kubernetes Engine Developer
(roles/ container.developer
)
Provides access to Kubernetes API objects inside clusters.
Lowest-level resources where you can grant this role:
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container. certificateSigningRequests. create
container. certificateSigningRequests. delete
container. certificateSigningRequests. get
container. certificateSigningRequests. list
container. certificateSigningRequests. update
container. certificateSigningRequests. updateStatus
container. clusterRoleBindings. get
container. clusterRoleBindings. list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container. controllerRevisions. get
container. controllerRevisions. list
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container. customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container. horizontalPodAutoscalers.*
container.ingresses.*
container. initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container. localSubjectAccessReviews.*
container. managedCertificates.*
container. mutatingWebhookConfigurations. get
container. mutatingWebhookConfigurations. list
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container. persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container. podDisruptionBudgets.*
container.podPresets.*
container. podSecurityPolicies. get
container. podSecurityPolicies. list
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container. replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container. selfSubjectAccessReviews.*
container. selfSubjectRulesReviews. create
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container. storageVersionMigrations.*
container. subjectAccessReviews.*
container.thirdPartyObjects.*
container. thirdPartyResources.*
container.tokenReviews.create
container.updateInfos.*
container. validatingWebhookConfigurations. get
container. validatingWebhookConfigurations. list
container.volumeAttachments.*
container. volumeSnapshotClasses.*
container. volumeSnapshotContents.*
container.volumeSnapshots.*
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Host Service Agent User
(roles/ container.hostServiceAgentUser
)
Allows the Kubernetes Engine service account in the host project to configure shared network
resources for cluster management. Also gives access to inspect the firewall rules in the host
project.
compute.firewalls.get
container.hostServiceAgent.use
dns. networks. bindDNSResponsePolicy
dns. networks. bindPrivateDNSPolicy
dns. networks. bindPrivateDNSZone
dns.responsePolicies.*
dns.responsePolicyRules.*
Kubernetes Engine Viewer
(roles/ container.viewer
)
Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.
Lowest-level resources where you can grant this role:
container.apiServices.get
container. apiServices. getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container. certificateSigningRequests. get
container. certificateSigningRequests. getStatus
container. certificateSigningRequests. list
container. clusterRoleBindings. get
container. clusterRoleBindings. list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container. controllerRevisions. get
container. controllerRevisions. list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container. customResourceDefinitions. get
container. customResourceDefinitions. getStatus
container. customResourceDefinitions. list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container. deployments. getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container. horizontalPodAutoscalers. get
container. horizontalPodAutoscalers. getStatus
container. horizontalPodAutoscalers. list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container. initializerConfigurations. get
container. initializerConfigurations. list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container. managedCertificates. get
container. managedCertificates. list
container. mutatingWebhookConfigurations. get
container. mutatingWebhookConfigurations. list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container. persistentVolumeClaims. get
container. persistentVolumeClaims. getStatus
container. persistentVolumeClaims. list
container. persistentVolumes. get
container. persistentVolumes. getStatus
container. persistentVolumes. list
container.petSets.get
container.petSets.list
container. podDisruptionBudgets. get
container. podDisruptionBudgets. getStatus
container. podDisruptionBudgets. list
container.podPresets.get
container.podPresets.list
container. podSecurityPolicies. get
container. podSecurityPolicies. list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container. replicaSets. getStatus
container.replicaSets.list
container. replicationControllers. get
container. replicationControllers. getScale
container. replicationControllers. getStatus
container. replicationControllers. list
container.resourceQuotas.get
container. resourceQuotas. getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container. statefulSets. getScale
container. statefulSets. getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container. storageStates. getStatus
container.storageStates.list
container. storageVersionMigrations. get
container. storageVersionMigrations. getStatus
container. storageVersionMigrations. list
container. thirdPartyObjects. get
container. thirdPartyObjects. list
container. thirdPartyResources. get
container. thirdPartyResources. list
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container. validatingWebhookConfigurations. get
container. validatingWebhookConfigurations. list
container. volumeAttachments. get
container. volumeAttachments. getStatus
container. volumeAttachments. list
container. volumeSnapshotClasses. get
container. volumeSnapshotClasses. list
container. volumeSnapshotContents. get
container. volumeSnapshotContents. getStatus
container. volumeSnapshotContents. list
container.volumeSnapshots.get
container.volumeSnapshots.list
recommender. containerDiagnosisInsights. get
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisRecommendations. get
recommender. containerDiagnosisRecommendations. list
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Live Stream roles
Permissions
Live Stream Editor
(roles/ livestream.editor
)
Full access to Live Stream resources.
livestream.*
resourcemanager.projects.get
resourcemanager.projects.list
Live Stream Viewer
(roles/ livestream.viewer
)
Read access to Live Stream resources.
livestream.assets.get
livestream.assets.list
livestream.channels.get
livestream.channels.list
livestream.clips.get
livestream.clips.list
livestream.events.get
livestream.events.list
livestream.inputs.get
livestream.inputs.list
livestream.locations.*
livestream.operations.get
livestream.operations.list
livestream.pools.get
resourcemanager.projects.get
resourcemanager.projects.list
Logging roles
Permissions
Logging Admin
(roles/ logging.admin
)
Provides all permissions necessary to use all features of Cloud Logging.
Lowest-level resources where you can grant this role:
logging.buckets.copyLogEntries
logging.buckets.create
logging. buckets. createTagBinding
logging.buckets.delete
logging. buckets. deleteTagBinding
logging.buckets.get
logging.buckets.list
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.fields.access
logging.links.*
logging.locations.*
logging.logEntries.*
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.*
logging.notificationRules.*
logging.operations.*
logging.privateLogEntries.list
logging.queries.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.usage.get
logging.views.*
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Logs Bucket Writer
(roles/ logging.bucketWriter
)
Ability to write logs to a log bucket.
Lowest-level resources where you can grant this role:
logging.buckets.write
Logs Configuration Writer
(roles/ logging.configWriter
)
Provides permissions to read and write the configurations of logs-based
metrics and sinks for exporting logs.
Lowest-level resources where you can grant this role:
logging.buckets.create
logging. buckets. createTagBinding
logging.buckets.delete
logging. buckets. deleteTagBinding
logging.buckets.get
logging.buckets.list
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.links.*
logging.locations.*
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Log Field Accessor
(roles/ logging.fieldAccessor
)
Ability to read restricted fields in a log bucket.
Lowest-level resources where you can grant this role:
logging.fields.access
Log Link Accessor
(roles/ logging.linkViewer
)
Ability to see links for a bucket.
logging.links.get
logging.links.list
Logs Writer
(roles/ logging.logWriter
)
Provides the permissions to write log entries.
Lowest-level resources where you can grant this role:
logging.logEntries.create
logging.logEntries.route
Private Logs Viewer
(roles/ logging.privateLogViewer
)
Provides permissions of the Logs Viewer role and in addition, provides
read-only access to log entries in private logs.
Lowest-level resources where you can grant this role:
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.privateLogEntries.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.access
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
SQL Alert Writer
Beta
(roles/ logging.sqlAlertWriter
)
Ability to write SQL Alerts.
logging.sqlAlerts.*
Logs View Accessor
(roles/ logging.viewAccessor
)
Ability to read logs in a view.
Lowest-level resources where you can grant this role:
logging.logEntries.download
logging.views.access
logging.views.listLogs
logging.views.listResourceKeys
logging. views. listResourceValues
Logs Viewer
(roles/ logging.viewer
)
Provides access to view logs.
Lowest-level resources where you can grant this role:
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
Looker roles
Permissions
Looker Admin
(roles/ looker.admin
)
Full access to all Looker resources.
looker.*
resourcemanager.projects.get
resourcemanager.projects.list
Looker Instance User
(roles/ looker.instanceUser
)
Access to log in to a Looker instance.
looker.instances.get
looker.instances.login
resourcemanager.projects.get
resourcemanager.projects.list
Looker Viewer
(roles/ looker.viewer
)
Read-only access to all Looker resources.
looker.backups.get
looker.backups.list
looker.instances.get
looker.instances.list
looker.instances.login
looker.locations.*
looker.operations.get
looker.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Maps API Admin roles
Permissions
Maps API Admin
(roles/ mapsadmin.admin
)
Read and Write all Maps Management and Maps Styles Resources.
mapsadmin.*
resourcemanager.projects.get
resourcemanager.projects.list
Maps API Viewer
(roles/ mapsadmin.viewer
)
Read all Maps Management and Maps Styles Resources.
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin. clientStyleSheetSnapshots. list
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin. styleEditorConfigs. get
mapsadmin.styleSnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Memcache roles
Permissions
Cloud Memorystore Memcached Admin
(roles/ memcache.admin
)
Full access to Memcached instances and related resources.
compute.networks.list
memcache.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Memcached Editor
(roles/ memcache.editor
)
Read-Write access to Memcached instances and related resources.
memcache. instances. applyParameters
memcache.instances.get
memcache.instances.list
memcache.instances.update
memcache. instances. updateParameters
memcache.locations.*
memcache.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Memcached Viewer
(roles/ memcache.viewer
)
Read-only access to Memcached instances and related resources.
memcache.instances.get
memcache.instances.list
memcache.locations.*
memcache.operations.get
memcache.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Redis roles
Permissions
Cloud Memorystore Redis Admin
(roles/ redis.admin
)
Full control for all Memorystore for Redis resources.
compute.networks.list
networkconnectivity. serviceConnectionPolicies. list
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Cloud Memorystore Redis Db Connection User
Beta
(roles/ redis.dbConnectionUser
)
Access to connecting to Redis Server db.
redis.clusters.connect
Cloud Memorystore Redis Editor
(roles/ redis.editor
)
Manage Memorystore for Redis instances. Can't create or delete instances.
compute.networks.list
redis.backupCollections.get
redis.backupCollections.list
redis.backups.get
redis.backups.list
redis.clusters.backup
redis.clusters.get
redis.clusters.list
redis.clusters.update
redis.instances.failover
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Cloud Memorystore Redis Viewer
(roles/ redis.viewer
)
Read-only access to all Memorystore for Redis resources.
redis.backupCollections.get
redis.backupCollections.list
redis.backups.get
redis.backups.list
redis.clusters.get
redis.clusters.list
redis.instances.get
redis.instances.list
redis. instances. listEffectiveTags
redis. instances. listTagBindings
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Mesh Management roles
Permissions
Mesh Config Admin
Beta
(roles/ meshconfig.admin
)
Full access to all mesh configuration resources
meshconfig.projects.init
Mesh Config Viewer
Beta
(roles/ meshconfig.viewer
)
Read access to mesh configuration
Migration Center roles
Permissions
Migration Center Admin
Beta
(roles/ migrationcenter.admin
)
Full access to Migration Center all resources.
migrationcenter.*
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
serviceusage.quotas.get
Migration Center Discovery Client
Beta
(roles/ migrationcenter.discoveryClient
)
Migration Center Discover Client role
migrationcenter. assets. reportFrames
migrationcenter. discoveryClients. get
migrationcenter. discoveryClients. sendHeartbeat
Migration Center Discovery Client Registrator
Beta
(roles/ migrationcenter.discoveryClientRegistrator
)
Registrator of Migration Center Discover Clients
migrationcenter. discoveryClients. create
migrationcenter. discoveryClients. delete
migrationcenter. discoveryClients. update
migrationcenter.operations.get
migrationcenter.sources.create
migrationcenter.sources.delete
resourcemanager.projects.get
resourcemanager.projects.list
Migration Center Viewer
Beta
(roles/ migrationcenter.viewer
)
Read-only access to Migration Center all resources.
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter. discoveryClients. get
migrationcenter. discoveryClients. list
migrationcenter.errorFrames.*
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter. importDataFiles. get
migrationcenter. importDataFiles. list
migrationcenter.importJobs.get
migrationcenter. importJobs. list
migrationcenter.locations.*
migrationcenter.operations.get
migrationcenter. operations. list
migrationcenter. preferenceSets. get
migrationcenter. preferenceSets. list
migrationcenter.relations.*
migrationcenter. reportConfigs. get
migrationcenter. reportConfigs. list
migrationcenter.reports.get
migrationcenter.reports.list
migrationcenter.settings.get
migrationcenter.sources.get
migrationcenter.sources.list
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list
serviceusage.quotas.get
Monitoring roles
Permissions
Monitoring Admin
(roles/ monitoring.admin
)
Provides full access to Cloud Monitoring.
Lowest-level resources where you can grant this role:
cloudnotifications. activities. list
monitoring.*
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.*
Monitoring AlertPolicy Editor
(roles/ monitoring.alertPolicyEditor
)
Read/write access to alerting policies.
monitoring.alertPolicies.*
Monitoring AlertPolicy Viewer
(roles/ monitoring.alertPolicyViewer
)
Read-only access to alerting policies.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
Monitoring Cloud Console Incident Editor
Beta
(roles/ monitoring.cloudConsoleIncidentEditor
)
Read/write access to incidents from Cloud Console.
Monitoring Cloud Console Incident Viewer
Beta
(roles/ monitoring.cloudConsoleIncidentViewer
)
Read access to incidents from Cloud Console.
Monitoring Dashboard Configuration Editor
(roles/ monitoring.dashboardEditor
)
Read/write access to dashboard configurations.
monitoring.dashboards.*
Monitoring Dashboard Configuration Viewer
(roles/ monitoring.dashboardViewer
)
Read-only access to dashboard configurations.
monitoring.dashboards.get
monitoring.dashboards.list
Monitoring Editor
(roles/ monitoring.editor
)
Provides full access to information about all monitoring data and
configurations.
Lowest-level resources where you can grant this role:
cloudnotifications. activities. list
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. create
monitoring. notificationChannels. delete
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring. notificationChannels. sendVerificationCode
monitoring. notificationChannels. update
monitoring. notificationChannels. verify
monitoring.services.*
monitoring.slos.*
monitoring.snoozes.*
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs.*
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.*
Monitoring Metric Writer
(roles/ monitoring.metricWriter
)
Provides write-only access to metrics. This provides exactly the permissions
needed by the Cloud Monitoring agent and other systems that send metrics.
Lowest-level resources where you can grant this role:
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
Monitoring Metrics Scopes Admin
Beta
(roles/ monitoring.metricsScopesAdmin
)
Access to add and remove monitored projects from metrics scopes.
monitoring.metricsScopes.link
resourcemanager.projects.get
resourcemanager.projects.list
Monitoring Metrics Scopes Viewer
Beta
(roles/ monitoring.metricsScopesViewer
)
Read-only access to metrics scopes and their monitored projects.
resourcemanager.projects.get
resourcemanager.projects.list
Monitoring NotificationChannel Editor
Beta
(roles/ monitoring.notificationChannelEditor
)
Read/write access to notification channels.
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. create
monitoring. notificationChannels. delete
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring. notificationChannels. sendVerificationCode
monitoring. notificationChannels. update
monitoring. notificationChannels. verify
Monitoring NotificationChannel Viewer
Beta
(roles/ monitoring.notificationChannelViewer
)
Read-only access to notification channels.
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
Monitoring Services Editor
(roles/ monitoring.servicesEditor
)
Read/write access to services.
monitoring.services.*
monitoring.slos.*
Monitoring Services Viewer
(roles/ monitoring.servicesViewer
)
Read-only access to services.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
Monitoring Snooze Editor
(roles/ monitoring.snoozeEditor
)
monitoring.snoozes.*
Monitoring Snooze Viewer
(roles/ monitoring.snoozeViewer
)
monitoring.snoozes.get
monitoring.snoozes.list
Monitoring Uptime Check Configuration Editor
Beta
(roles/ monitoring.uptimeCheckConfigEditor
)
Read/write access to uptime check configurations.
monitoring. uptimeCheckConfigs.*
Monitoring Uptime Check Configuration Viewer
Beta
(roles/ monitoring.uptimeCheckConfigViewer
)
Read-only access to uptime check configurations.
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
Monitoring Viewer
(roles/ monitoring.viewer
)
Provides read-only access to get and list information about all monitoring
data and configurations.
Lowest-level resources where you can grant this role:
cloudnotifications. activities. list
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
opsconfigmonitoring. resourceMetadata. list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver. resourceMetadata. list
Network Connectivity roles
Permissions
Service Automation Consumer Network Admin
(roles/ networkconnectivity.consumerNetworkAdmin
)
Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.
networkconnectivity. serviceConnectionPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
Group User
(roles/ networkconnectivity.groupUser
)
Enables use access on group resources
networkconnectivity.groups.use
Hub & Spoke Admin
(roles/ networkconnectivity.hubAdmin
)
Enables full access to hub and spoke resources.
Lowest-level resources where you can grant this role:
networkconnectivity.groups.*
networkconnectivity. hubRouteTables.*
networkconnectivity. hubRoutes.*
networkconnectivity.hubs.*
networkconnectivity. locations.*
networkconnectivity. operations.*
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list
Hub & Spoke Viewer
(roles/ networkconnectivity.hubViewer
)
Enables read-only access to hub and spoke resources.
Lowest-level resources where you can grant this role:
networkconnectivity.groups.get
networkconnectivity. groups. getIamPolicy
networkconnectivity. groups. list
networkconnectivity. hubRouteTables. get
networkconnectivity. hubRouteTables. getIamPolicy
networkconnectivity. hubRouteTables. list
networkconnectivity. hubRoutes. get
networkconnectivity. hubRoutes. getIamPolicy
networkconnectivity. hubRoutes. list
networkconnectivity.hubs.get
networkconnectivity. hubs. getIamPolicy
networkconnectivity.hubs.list
networkconnectivity. hubs. listSpokes
networkconnectivity. hubs. queryStatus
networkconnectivity. locations.*
networkconnectivity.spokes.get
networkconnectivity. spokes. getIamPolicy
networkconnectivity. spokes. list
resourcemanager.projects.get
resourcemanager.projects.list
Regional Endpoint Admin
(roles/ networkconnectivity.regionalEndpointAdmin
)
Full access to all Regional Endpoint resources.
networkconnectivity. regionalEndpoints.*
resourcemanager.projects.get
resourcemanager.projects.list
Regional Endpoint Viewer
(roles/ networkconnectivity.regionalEndpointViewer
)
Read-only access to all Regional Endpoint resources.
networkconnectivity. regionalEndpoints. get
networkconnectivity. regionalEndpoints. list
resourcemanager.projects.get
resourcemanager.projects.list
Service Class User
(roles/ networkconnectivity.serviceClassUser
)
Service Class User uses a ServiceClass
networkconnectivity. serviceClasses. get
networkconnectivity. serviceClasses. list
networkconnectivity. serviceClasses. use
resourcemanager.projects.get
resourcemanager.projects.list
Service Automation Service Producer Admin
(roles/ networkconnectivity.serviceProducerAdmin
)
Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps
networkconnectivity. operations. get
networkconnectivity. operations. list
networkconnectivity. serviceClasses.*
networkconnectivity. serviceConnectionMaps.*
resourcemanager.projects.get
resourcemanager.projects.list
Spoke Admin
(roles/ networkconnectivity.spokeAdmin
)
Enables full access to spoke resources and read-only access to hub resources.
Lowest-level resources where you can grant this role:
networkconnectivity. hubRouteTables. get
networkconnectivity. hubRouteTables. getIamPolicy
networkconnectivity. hubRouteTables. list
networkconnectivity. hubRoutes. get
networkconnectivity. hubRoutes. getIamPolicy
networkconnectivity. hubRoutes. list
networkconnectivity.hubs.get
networkconnectivity. hubs. getIamPolicy
networkconnectivity.hubs.list
networkconnectivity. locations.*
networkconnectivity. operations. get
networkconnectivity. operations. list
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Management roles
Permissions
Network Management Admin
(roles/ networkmanagement.admin
)
Full access to Network Management resources.
Lowest-level resources where you can grant this role:
networkmanagement.*
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Network Management Viewer
(roles/ networkmanagement.viewer
)
Read-only access to Network Management resources.
Lowest-level resources where you can grant this role:
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. getIamPolicy
networkmanagement. connectivitytests. list
networkmanagement.locations.*
networkmanagement. operations. get
networkmanagement. operations. list
networkmanagement. vpcflowlogsconfigs. get
networkmanagement. vpcflowlogsconfigs. list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Network Security roles
Permissions
Intercept Deployment Admin
Beta
(roles/ networksecurity.interceptDeploymentAdmin
)
Enables full access to intercept resources on the Producer's side.
networksecurity. interceptDeploymentGroups.*
networksecurity. interceptDeployments.*
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Deployment User
Beta
(roles/ networksecurity.interceptDeploymentUser
)
Allows a consumer to connect their interceptEndpointGroup to the Producer's interceptDeploymentGroup.
networksecurity. interceptDeploymentGroups. get
networksecurity. interceptDeploymentGroups. list
networksecurity. interceptDeploymentGroups. use
Intercept Deployment Viewer
Beta
(roles/ networksecurity.interceptDeploymentViewer
)
Enables read-only access to intercept resources on the Producer's side.
networksecurity. interceptDeploymentGroups. get
networksecurity. interceptDeploymentGroups. list
networksecurity. interceptDeployments. get
networksecurity. interceptDeployments. list
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Endpoint Admin
Beta
(roles/ networksecurity.interceptEndpointAdmin
)
Enables full access to intercept resources on the consumer's side.
networksecurity. interceptEndpointGroupAssociations.*
networksecurity. interceptEndpointGroups.*
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Endpoint User
Beta
(roles/ networksecurity.interceptEndpointUser
)
Allows a consumer to connect their networks to a interceptEndpointGroup.
networksecurity. interceptEndpointGroups. get
networksecurity. interceptEndpointGroups. list
networksecurity. interceptEndpointGroups. use
Intercept Endpoint Viewer
Beta
(roles/ networksecurity.interceptEndpointViewer
)
Enables read-only access to intercept resources on the Consumer's side.
networksecurity. interceptEndpointGroupAssociations. get
networksecurity. interceptEndpointGroupAssociations. list
networksecurity. interceptEndpointGroups. get
networksecurity. interceptEndpointGroups. list
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Deployment Admin
Beta
(roles/ networksecurity.mirroringDeploymentAdmin
)
Enables full access to mirroring resources on the Producer's side.
networksecurity. mirroringDeploymentGroups.*
networksecurity. mirroringDeployments.*
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Deployment User
Beta
(roles/ networksecurity.mirroringDeploymentUser
)
Allows a consumer to connect their mirroringEndpointGroup to the Producer's mirroringDeploymentGroup.
networksecurity. mirroringDeploymentGroups. get
networksecurity. mirroringDeploymentGroups. list
networksecurity. mirroringDeploymentGroups. use
Mirroring Deployment Viewer
Beta
(roles/ networksecurity.mirroringDeploymentViewer
)
Enables read-only access to mirroring resources on the Producer's side.
networksecurity. mirroringDeploymentGroups. get
networksecurity. mirroringDeploymentGroups. list
networksecurity. mirroringDeployments. get
networksecurity. mirroringDeployments. list
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Endpoint Admin
Beta
(roles/ networksecurity.mirroringEndpointAdmin
)
Enables full access to mirroring resources on the consumer's side.
networksecurity. mirroringEndpointGroupAssociations.*
networksecurity. mirroringEndpointGroups.*
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Endpoint User
Beta
(roles/ networksecurity.mirroringEndpointUser
)
Allows a consumer to connect their networks to a mirroringEndpointGroup.
networksecurity. mirroringEndpointGroups. get
networksecurity. mirroringEndpointGroups. list
networksecurity. mirroringEndpointGroups. use
Mirroring Endpoint Viewer
Beta
(roles/ networksecurity.mirroringEndpointViewer
)
Enables read-only access to mirroring resources on the Consumer's side.
networksecurity. mirroringEndpointGroupAssociations. get
networksecurity. mirroringEndpointGroupAssociations. list
networksecurity. mirroringEndpointGroups. get
networksecurity. mirroringEndpointGroups. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Services roles
Permissions
Service Extensions Admin
Beta
(roles/ networkservices.serviceExtensionsAdmin
)
Provides full access to Service Extensions resources.
networkservices. authzExtensions.*
networkservices. lbRouteExtensions.*
networkservices. lbTrafficExtensions.*
networkservices.wasmPlugins.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Extensions Viewer
Beta
(roles/ networkservices.serviceExtensionsViewer
)
Provides read-only access to Service Extensions resources.
networkservices. authzExtensions. get
networkservices. authzExtensions. list
networkservices. lbRouteExtensions. get
networkservices. lbRouteExtensions. list
networkservices. lbTrafficExtensions. get
networkservices. lbTrafficExtensions. list
networkservices. wasmPlugins. get
networkservices. wasmPlugins. list
resourcemanager.projects.get
resourcemanager.projects.list
Observability roles
Permissions
Observability Admin
Beta
(roles/ observability.admin
)
Full access to Observability resources.
observability.*
Observability Analytics User
Beta
(roles/ observability.analyticsUser
)
Grants permissions to use Cloud Observability Analytics.
observability.analyticsViews.*
observability.scopes.get
Observability Editor
Beta
(roles/ observability.editor
)
Edit access to Observability resources.
observability.*
Observability Viewer
Beta
(roles/ observability.viewer
)
Read only access to Observability resources.
observability. analyticsViews. get
observability. analyticsViews. list
observability.scopes.get
On-Demand Scanning roles
Permissions
On-Demand Scanning Admin
Beta
(roles/ ondemandscanning.admin
)
All permissions for On-Demand Scanning
ondemandscanning.*
Ops Config Monitoring roles
Permissions
(roles/ opsconfigmonitoring.resourceMetadata.viewer
)
Read-only access to resource metadata.
opsconfigmonitoring. resourceMetadata. list
(roles/ opsconfigmonitoring.resourceMetadata.writer
)
Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.
opsconfigmonitoring. resourceMetadata. write
Organization Policy roles
Permissions
Access Transparency Admin
(roles/ axt.admin
)
Enable Access Transparency for Organization
Lowest-level resources where you can grant this role:
axt.*
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Organization Policy Administrator
(roles/ orgpolicy.policyAdmin
)
Provides access to define what restrictions an organization wants to place
on the configuration of cloud resources by setting Organization Policies.
Lowest-level resources where you can grant this role:
orgpolicy.*
policysimulator. orgPolicyViolations. list
policysimulator. orgPolicyViolationsPreviews.*
recommender. orgPolicyInsights.*
recommender. orgPolicyRecommendations.*
Organization Policy Viewer
(roles/ orgpolicy.policyViewer
)
Provides access to view Organization Policies on resources.
Lowest-level resources where you can grant this role:
orgpolicy.constraints.list
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy.policies.list
orgpolicy.policy.get
Other roles
Permissions
Advisory Notifications Admin
(roles/ advisorynotifications.admin
)
Grants write access to settings in Advisory Notifications
advisorynotifications.*
resourcemanager. organizations. get
resourcemanager.projects.get
Advisory Notifications Viewer
(roles/ advisorynotifications.viewer
)
Grants view access in Advisory Notifications
advisorynotifications. notifications.*
advisorynotifications. settings. get
resourcemanager. organizations. get
resourcemanager.projects.get
Cloud API Hub Admin
Beta
(roles/ apihub.admin
)
Full access to all API hub resources.
apihub.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Attributes Admin
Beta
(roles/ apihub.attributeAdmin
)
Full access to all Cloud API hub attribute's resources.
apihub.attributes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API Hub Editor
Beta
(roles/ apihub.editor
)
Edit access to most of Cloud API Hub resources.
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.*
apihub.apis.*
apihub.attributes.get
apihub.attributes.list
apihub.definitions.*
apihub.dependencies.*
apihub.deployments.*
apihub.externalApis.*
apihub. hostProjectRegistrations. get
apihub. hostProjectRegistrations. list
apihub.llmEnablements.*
apihub. locations. searchResources
apihub.operations.get
apihub.operations.list
apihub.plugins.get
apihub.plugins.list
apihub. runTimeProjectAttachments. get
apihub. runTimeProjectAttachments. list
apihub.specs.*
apihub.styleGuides.get
apihub.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Plugins Admin
Beta
(roles/ apihub.pluginAdmin
)
Full access to all Cloud API hub plugin's resources.
apihub.plugins.*
apihub.specs.lint
apihub.styleGuides.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Provisioning Admin
Beta
(roles/ apihub.provisioningAdmin
)
Full access to Cloud API hub provisioning related resources.
apihub.apiHubInstances.*
apihub. hostProjectRegistrations.*
apihub.operations.*
apihub. runTimeProjectAttachments.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Viewer
Beta
(roles/ apihub.viewer
)
View access to all Cloud API hub resources.
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apis.get
apihub.apis.list
apihub.attributes.get
apihub.attributes.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.externalApis.get
apihub.externalApis.list
apihub. hostProjectRegistrations. get
apihub. hostProjectRegistrations. list
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub. locations. searchResources
apihub.operations.get
apihub.operations.list
apihub.plugins.get
apihub.plugins.list
apihub. runTimeProjectAttachments. get
apihub. runTimeProjectAttachments. list
apihub.specs.get
apihub.specs.list
apihub.styleGuides.get
apihub.versions.get
apihub.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
API Management Admin
Beta
(roles/ apim.admin
)
Full access to API Management resources.
apim.*
resourcemanager.projects.get
resourcemanager.projects.list
API Management Viewer
Beta
(roles/ apim.viewer
)
Readonly access to API Management resources.
apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.*
apim.locations.*
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.get
apim.observationSources.list
apim.operations.get
apim.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Admin
(roles/ apphub.admin
)
Full access to App Hub resources.
apphub.*
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Editor
(roles/ apphub.editor
)
Edit access to App Hub resources.
apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.list
apphub.applications.update
apphub.discoveredServices.*
apphub.discoveredWorkloads.*
apphub.locations.*
apphub.operations.*
apphub. serviceProjectAttachments. lookup
apphub.services.*
apphub.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Viewer
(roles/ apphub.viewer
)
View access to App Hub resources.
apphub.applications.get
apphub.applications.list
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredWorkloads.get
apphub. discoveredWorkloads. list
apphub.locations.*
apphub.operations.get
apphub.operations.list
apphub. serviceProjectAttachments. lookup
apphub.services.get
apphub.services.list
apphub.workloads.get
apphub.workloads.list
resourcemanager.projects.get
resourcemanager.projects.list
Appliance troubleshooting commands approver
Beta
(roles/ applianceactivation.approver
)
Grants access to approve commands to run on appliances
applianceactivation. rttCommands. approve
applianceactivation. rttCommands. get
resourcemanager.projects.get
resourcemanager.projects.list
On-appliance troubleshooting client
Beta
(roles/ applianceactivation.client
)
Grants access to read commands for an appliance and send its result.
applianceactivation. rttCommands. get
applianceactivation. rttCommands. sendResult
Appliance troubleshooter
Beta
(roles/ applianceactivation.troubleshooter
)
Grants access to send new commands to run on appliances and view the outputs
applianceactivation. rttCommands. create
applianceactivation. rttCommands. get
applianceactivation. rttCommands. list
resourcemanager.projects.get
resourcemanager.projects.list
Assured OSS Admin
(roles/ assuredoss.admin
)
Access to use Assured OSS and manage configuration.
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Assured OSS Project Admin
Beta
(roles/ assuredoss.projectAdmin
)
Access to use Assured OSS and manage configuration.
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Assured OSS Reader
(roles/ assuredoss.reader
)
Access to use Assured OSS and view Assured OSS configuration.
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Assured OSS User
(roles/ assuredoss.user
)
Access to use Assured OSS.
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Audit Manager Admin
Beta
(roles/ auditmanager.admin
)
Full access to Audit Manager resources.
auditmanager.auditReports.*
auditmanager. auditScopeReports. generate
auditmanager. billingSettings. get
auditmanager.controlReports.*
auditmanager.controls.list
auditmanager.findings.*
auditmanager.locations.*
auditmanager.operations.*
auditmanager. resourceEnrollmentStatuses.*
cloudasset. assets. searchAllResources
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Audit Manager Auditor
Beta
(roles/ auditmanager.auditor
)
Allows creating and viewing an audit report.
auditmanager.auditReports.*
auditmanager. auditScopeReports. generate
auditmanager. billingSettings. get
auditmanager.controlReports.*
auditmanager.controls.list
auditmanager.findings.*
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
auditmanager. resourceEnrollmentStatuses.*
cloudasset. assets. searchAllResources
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
Custom Compliance Framework Admin
Beta
(roles/ auditmanager.ccfAdmin
)
Full access to Custom Compliance Framework resources.
auditmanager. billingSettings. get
auditmanager. customComplianceFrameworks.*
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
resourcemanager. organizations. get
Custom Compliance Framework Viewer
Beta
(roles/ auditmanager.ccfViewer
)
Allows viewing Custom Compliance Framework resources.
auditmanager. billingSettings. get
auditmanager. customComplianceFrameworks. get
auditmanager. customComplianceFrameworks. list
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
resourcemanager. organizations. get
Autoscaling Metrics Writer
Beta
(roles/ autoscaling.metricsWriter
)
Access to write metrics for autoscaling site
autoscaling.sites.writeMetrics
Autoscaling Recommendations Reader
Beta
(roles/ autoscaling.recommendationsReader
)
Access to read recommendations from autoscaling site
autoscaling. sites. readRecommendations
Autoscaling Site Admin
Beta
(roles/ autoscaling.sitesAdmin
)
Full access to all autoscaling site features
autoscaling.*
resourcemanager.projects.get
resourcemanager.projects.list
Autoscaling State Writer
Beta
(roles/ autoscaling.stateWriter
)
Access to write state for autoscaling site
autoscaling.sites.writeState
Batch Administrator
(roles/ batch.admin
)
Administrator of Batch resources
batch.jobs.*
batch.locations.*
batch.operations.*
batch.resourceAllowances.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch Agent Reporter
(roles/ batch.agentReporter
)
Reporter of Batch agent states.
batch.states.report
Batch Job Editor
(roles/ batch.jobsEditor
)
Editor of Batch Jobs
batch.jobs.*
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch Job Viewer
(roles/ batch.jobsViewer
)
Viewer of Batch Jobs, Task Groups and Tasks
batch.jobs.get
batch.jobs.list
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch ResourceAllowance Editor
(roles/ batch.resourceAllowancesEditor
)
Editor of Batch ResourceAllowances
batch.locations.*
batch.operations.*
batch.resourceAllowances.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch ResourceAllowance Viewer
(roles/ batch.resourceAllowancesViewer
)
Viewer of Batch ResourceAllowances
batch.locations.*
batch.operations.*
batch.resourceAllowances.get
batch.resourceAllowances.list
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Admin
(roles/ biglake.admin
)
Provides full access to all BigLake resources.
biglake.*
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Viewer
(roles/ biglake.viewer
)
Provides read-only access to all BigLake resources.
biglake.catalogs.get
biglake.catalogs.list
biglake.databases.get
biglake.databases.list
biglake.locks.list
biglake.tables.get
biglake.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
MigrationWorkflow Editor
(roles/ bigquerymigration.editor
)
Editor of EDW migration workflows.
bigquerymigration.subtasks.*
bigquerymigration. workflows. create
bigquerymigration. workflows. delete
bigquerymigration. workflows. enableAiOutputTypes
bigquerymigration. workflows. enableLineageOutputTypes
bigquerymigration. workflows. enableOutputTypePermissions
bigquerymigration. workflows. get
bigquerymigration. workflows. list
bigquerymigration. workflows. update
Task Orchestrator
(roles/ bigquerymigration.orchestrator
)
Orchestrator of EDW migration tasks.
bigquerymigration. workflows. orchestrateTask
storage.objects.list
Migration Translation User
(roles/ bigquerymigration.translationUser
)
User of EDW migration interactive SQL translation service.
bigquerymigration. translation. translate
MigrationWorkflow Viewer
(roles/ bigquerymigration.viewer
)
Viewer of EDW migration MigrationWorkflow.
bigquerymigration.subtasks.*
bigquerymigration. workflows. get
bigquerymigration. workflows. list
Task Worker
(roles/ bigquerymigration.worker
)
Worker that executes EDW migration subtasks.
storage.objects.create
storage.objects.get
storage.objects.list
Carbon Footprint Viewer
(roles/ billing.carbonViewer
)
billing.accounts.get
billing. accounts. getCarbonInformation
billing.accounts.list
Blockchain Node Engine Admin
(roles/ blockchainnodeengine.admin
)
Full access to Blockchain Node Engine resources.
blockchainnodeengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Node Engine Viewer
(roles/ blockchainnodeengine.viewer
)
Read-only access to Blockchain Node Engine resources.
blockchainnodeengine. blockchainNodes. get
blockchainnodeengine. blockchainNodes. list
blockchainnodeengine. locations.*
blockchainnodeengine. operations. get
blockchainnodeengine. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Validator Manager Admin
Beta
(roles/ blockchainvalidatormanager.admin
)
Full access to Blockchain Validator Manager resources.
blockchainvalidatormanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Validator Viewer
Beta
(roles/ blockchainvalidatormanager.viewer
)
Readonly access to Blockchain Validator Manager resources.
blockchainvalidatormanager. blockchainValidatorConfigs. get
blockchainvalidatormanager. blockchainValidatorConfigs. list
blockchainvalidatormanager. locations.*
blockchainvalidatormanager. operations. get
blockchainvalidatormanager. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Capacity Planner Usage Viewer
Beta
(roles/ capacityplanner.viewer
)
Read-only access to Capacity Planner usage resources
capacityplanner.*
cloudquotas.quotas.get
compute.futureReservations.get
compute. futureReservations. list
compute.reservations.get
compute.reservations.list
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Care Studio Patients Viewer
(roles/ carestudio.viewer
)
This role can view all properties of Patients.
carestudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle Service Admin
(roles/ chroniclesm.admin
)
Admins can view and modify Chronicle service details.
chroniclesm.*
Chronicle Service Viewer
(roles/ chroniclesm.viewer
)
Viewers can see Chronicle service details but not change them.
chroniclesm. gcpAssociations. get
chroniclesm. gcpAssociations. list
chroniclesm. gcpLogFlowFilters. get
chroniclesm.gcpSettings.get
Location reader
Beta
(roles/ cloud.locationReader
)
Read and enumerate locations available for resource creation.
cloud.*
Code Repository Indexes Admin
Beta
(roles/ cloudaicompanion.codeRepositoryIndexesAdmin
)
Grants full access to Code Repository Indexes resources.
cloudaicompanion. codeRepositoryIndexes.*
cloudaicompanion.operations.*
cloudaicompanion. repositoryGroups. create
cloudaicompanion. repositoryGroups. delete
cloudaicompanion. repositoryGroups. get
cloudaicompanion. repositoryGroups. getIamPolicy
cloudaicompanion. repositoryGroups. list
cloudaicompanion. repositoryGroups. setIamPolicy
cloudaicompanion. repositoryGroups. update
resourcemanager.projects.get
resourcemanager.projects.list
Code Repository Indexes Viewer
Beta
(roles/ cloudaicompanion.codeRepositoryIndexesViewer
)
Grants readonly access to Code Repository Indexes resources.
cloudaicompanion. codeRepositoryIndexes. get
cloudaicompanion. codeRepositoryIndexes. list
cloudaicompanion. operations. get
cloudaicompanion. operations. list
cloudaicompanion. repositoryGroups. get
cloudaicompanion. repositoryGroups. getIamPolicy
cloudaicompanion. repositoryGroups. list
resourcemanager.projects.get
resourcemanager.projects.list
Repository Groups User
Beta
(roles/ cloudaicompanion.repositoryGroupsUser
)
Grants Read/Use access to the Code Repository Indexes Repository Group.
cloudaicompanion. codeRepositoryIndexes. get
cloudaicompanion. repositoryGroups. get
cloudaicompanion. repositoryGroups. getIamPolicy
cloudaicompanion. repositoryGroups. use
Gemini for Google Cloud User
Beta
(roles/ cloudaicompanion.user
)
A user who can use Gemini for Google Cloud
cloudaicompanion.companions.*
cloudaicompanion. entitlements. get
cloudaicompanion.instances.*
cloudaicompanion. licenses. selfAssign
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Controls Partner Admin
(roles/ cloudcontrolspartner.admin
)
Full access to Cloud Controls Partner resources.
cloudcontrolspartner. accessapprovalrequests. list
cloudcontrolspartner. customers.*
cloudcontrolspartner. ekmconnections. get
cloudcontrolspartner. inspectabilityevents. get
cloudcontrolspartner. partnerpermissions. get
cloudcontrolspartner. partners. get
cloudcontrolspartner. platformcontrols. get
cloudcontrolspartner. violations. list
cloudcontrolspartner. workloads. list
Cloud Controls Partner Editor
(roles/ cloudcontrolspartner.editor
)
Editor access to Cloud Controls Partner resources.
cloudcontrolspartner.*
Cloud Controls Partner Inspectability Reader
(roles/ cloudcontrolspartner.inspectabilityReader
)
Readonly access to Cloud Controls Partner inspectability resources.
cloudcontrolspartner. customers. get
cloudcontrolspartner. customers. list
cloudcontrolspartner. inspectabilityevents. get
cloudcontrolspartner. platformcontrols. get
Cloud Controls Partner Monitoring Reader
(roles/ cloudcontrolspartner.monitoringReader
)
Read-only access to Cloud Controls Partner monitoring resources.
cloudcontrolspartner. customers. get
cloudcontrolspartner. customers. list
cloudcontrolspartner. violations.*
cloudcontrolspartner. workloads.*
Cloud Controls Partner Reader
(roles/ cloudcontrolspartner.reader
)
Read-only access to Cloud Controls Partner resources.
cloudcontrolspartner. accessapprovalrequests. list
cloudcontrolspartner. customers. get
cloudcontrolspartner. customers. list
cloudcontrolspartner. ekmconnections. get
cloudcontrolspartner. inspectabilityevents. get
cloudcontrolspartner. partnerpermissions. get
cloudcontrolspartner. partners. get
cloudcontrolspartner. platformcontrols. get
cloudcontrolspartner. violations.*
cloudcontrolspartner. workloads.*
Cloud Optimization AI Admin
(roles/ cloudoptimization.admin
)
Administrator of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Editor
(roles/ cloudoptimization.editor
)
Editor of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Viewer
(roles/ cloudoptimization.viewer
)
Viewer of Cloud Optimization AI resources
cloudoptimization. operations. get
Cloud Quotas Admin
Beta
(roles/ cloudquotas.admin
)
Full access to Cloud Quotas resources.
cloudquotas.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Quotas Viewer
Beta
(roles/ cloudquotas.viewer
)
Readonly access to Cloud Quotas resources.
cloudquotas.quotas.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Admin
Beta
(roles/ commerceagreementpublishing.admin
)
Admin of Commerce Agreement Publishing service
commerceagreementpublishing.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Viewer
Beta
(roles/ commerceagreementpublishing.viewer
)
Viewer of Commerce Agreement Publishing service
commerceagreementpublishing. agreements. get
commerceagreementpublishing. agreements. list
commerceagreementpublishing. documents. get
commerceagreementpublishing. documents. list
resourcemanager.projects.get
resourcemanager.projects.list
Confidential Space Workload User
(roles/ confidentialcomputing.workloadUser
)
Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.
confidentialcomputing.*
logging.logEntries.create
ConfigDelivery Admin
Beta
(roles/ configdelivery.configDeliveryAdmin
)
Grants full access to all Config Delivery resources. Lets users create, remove and manage fleet packages and resource bundles.
configdelivery.*
resourcemanager.projects.get
resourcemanager.projects.list
ConfigDelivery Viewer
Beta
(roles/ configdelivery.configDeliveryViewer
)
Grants read access to all Config Delivery resources. Lets users view existing fleet packages and resource bundles, but they will not be able to make any changes.
configdelivery. fleetPackages. get
configdelivery. fleetPackages. list
configdelivery.locations.*
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.get
configdelivery.releases.list
configdelivery. resourceBundles. get
configdelivery. resourceBundles. list
configdelivery.rollouts.get
configdelivery.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Config Delivery Resource Bundle Publisher
Beta
(roles/ configdelivery.resourceBundlePublisher
)
Grants read and write permissions to Config Delivery ResourceBundles and Releases.
configdelivery.locations.*
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery. resourceBundles. create
configdelivery. resourceBundles. get
configdelivery. resourceBundles. list
configdelivery. resourceBundles. update
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ contactcenteraiplatform.admin
)
Full access to Contact Center AI Platform resources.
contactcenteraiplatform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ contactcenteraiplatform.viewer
)
Read-only access to Contact Center AI Platform resources.
contactcenteraiplatform. contactCenters. get
contactcenteraiplatform. contactCenters. list
contactcenteraiplatform. locations.*
contactcenteraiplatform. operations. get
contactcenteraiplatform. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ contactcenterinsights.editor
)
Grants read and write access to all Contact Center AI Insights resources.
contactcenterinsights.*
(roles/ contactcenterinsights.viewer
)
Grants read access to all Contact Center AI Insights resources.
contactcenterinsights. analyses. get
contactcenterinsights. analyses. list
contactcenterinsights. analysisRules. get
contactcenterinsights. analysisRules. list
contactcenterinsights. conversations. get
contactcenterinsights. conversations. list
contactcenterinsights. faqEntries. get
contactcenterinsights. faqEntries. list
contactcenterinsights. faqModels. get
contactcenterinsights. faqModels. list
contactcenterinsights. feedbackLabels. download
contactcenterinsights. feedbackLabels. get
contactcenterinsights. feedbackLabels. list
contactcenterinsights. issueModels. get
contactcenterinsights. issueModels. list
contactcenterinsights. issues. get
contactcenterinsights. issues. list
contactcenterinsights. operations. get
contactcenterinsights. operations. list
contactcenterinsights. phraseMatchers. get
contactcenterinsights. phraseMatchers. list
contactcenterinsights. qaQuestions. get
contactcenterinsights. qaQuestions. list
contactcenterinsights. qaScorecardRevisions. get
contactcenterinsights. qaScorecardRevisions. list
contactcenterinsights. qaScorecards. get
contactcenterinsights. qaScorecards. list
contactcenterinsights. settings. get
contactcenterinsights. views. get
contactcenterinsights. views. list
GKE Security Posture Viewer
Beta
(roles/ containersecurity.viewer
)
Read-only access to GKE Security Posture resources.
container.clusters.list
containersecurity.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Admin
(roles/ contentwarehouse.admin
)
Grants full access to all the resources in Content Warehouse
contentwarehouse.corpora.*
contentwarehouse. dataExportJobs.*
contentwarehouse. documentSchemas.*
contentwarehouse.documents.*
contentwarehouse.locations.*
contentwarehouse. operations. get
contentwarehouse. rawDocuments.*
contentwarehouse.ruleSets.*
contentwarehouse.synonymSets.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Admin
(roles/ contentwarehouse.documentAdmin
)
Grants full access to the document resource in Content Warehouse
contentwarehouse. documentSchemas. get
contentwarehouse. documents. create
contentwarehouse. documents. delete
contentwarehouse.documents.get
contentwarehouse. documents. getIamPolicy
contentwarehouse. documents. setIamPolicy
contentwarehouse. documents. update
contentwarehouse.links.*
contentwarehouse. locations. getStatus
contentwarehouse. rawDocuments.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document creator
(roles/ contentwarehouse.documentCreator
)
Grants access to create document in Content Warehouse
contentwarehouse. documentSchemas. get
contentwarehouse. documentSchemas. list
contentwarehouse. documents. create
contentwarehouse. locations. getStatus
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Editor
(roles/ contentwarehouse.documentEditor
)
Grants access to update document resource in Content Warehouse
contentwarehouse. documentSchemas. get
contentwarehouse.documents.get
contentwarehouse. documents. getIamPolicy
contentwarehouse. documents. update
contentwarehouse.links.*
contentwarehouse. locations. getStatus
contentwarehouse. rawDocuments.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document schema viewer
(roles/ contentwarehouse.documentSchemaViewer
)
Grants access to view the document schemas in Content Warehouse
contentwarehouse. documentSchemas. get
contentwarehouse. documentSchemas. list
contentwarehouse. locations. getStatus
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Viewer
(roles/ contentwarehouse.documentViewer
)
Grants access to view all the resources in Content Warehouse
contentwarehouse. documentSchemas. get
contentwarehouse.documents.get
contentwarehouse. documents. getIamPolicy
contentwarehouse.links.get
contentwarehouse. locations. getStatus
contentwarehouse. rawDocuments. download
resourcemanager.projects.get
resourcemanager.projects.list
Database center viewer
Beta
(roles/ databasecenter.viewer
)
Viewer role for Database Center resource data
cloudaicompanion. entitlements. get
databasecenter.*
resourcemanager.projects.get
resourcemanager.projects.list
Events Service viewer
Beta
(roles/ databaseinsights.eventsViewer
)
Viewer role for Events Service data
databaseinsights. aggregatedEvents. query
databaseinsights. clusterEvents. query
databaseinsights. instanceEvents. query
Database Insights monitoring viewer
Beta
(roles/ databaseinsights.monitoringViewer
)
Viewer role for Database Insights monitoring data
databaseinsights. activeQueries. fetch
databaseinsights. activitySummary. fetch
databaseinsights. aggregatedStats. query
databaseinsights.locations.*
databaseinsights. timeSeries. query
databaseinsights. workloadRecommendations. fetch
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights performing operations
Beta
(roles/ databaseinsights.operationsAdmin
)
Admin role for performing Database Insights operations
databaseinsights. activeQuery. terminate
Database Insights recommendation viewer
Beta
(roles/ databaseinsights.recommendationViewer
)
Viewer role for Database Insights recommendation data
databaseinsights.locations.*
databaseinsights. recommendations. query
databaseinsights. resourceRecommendations. query
databaseinsights. workloadRecommendations. fetch
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights viewer
Beta
(roles/ databaseinsights.viewer
)
Viewer role for Database Insights data
databaseinsights. activeQueries. fetch
databaseinsights. activitySummary. fetch
databaseinsights. aggregatedStats. query
databaseinsights.locations.*
databaseinsights. recommendations. query
databaseinsights. resourceRecommendations. query
databaseinsights. timeSeries. query
databaseinsights. workloadRecommendations. fetch
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Administrator
(roles/ datalineage.admin
)
Grants full access to all resources in Data Lineage API
datalineage.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Editor
(roles/ datalineage.editor
)
Grants edit access to all resources in Data Lineage API
datalineage.events.*
datalineage. locations. searchLinks
datalineage.operations.get
datalineage.processes.create
datalineage.processes.get
datalineage.processes.list
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.list
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Events Producer
(roles/ datalineage.producer
)
Grants access to creating all resources in Data Lineage API
datalineage.events.create
datalineage.processes.create
datalineage.processes.get
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Viewer
(roles/ datalineage.viewer
)
Grants read access to all resources in Data Lineage API
datalineage.events.get
datalineage.events.list
datalineage. locations. searchLinks
datalineage.processes.get
datalineage.processes.list
datalineage.runs.get
datalineage.runs.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Processing Controls Resource Admin
(roles/ dataprocessing.admin
)
Data processing controls admin who can fully manage data processing controls settings and view all datasource data.
billing.accounts.get
billing.accounts.list
dataprocessing.*
Data Processing Controls Data Source Manager
(roles/ dataprocessing.dataSourceManager
)
Data processing controls data source manager who can get, list, and update the underlying data.
dataprocessing. datasources. list
dataprocessing. datasources. update
Dataproc Resource Manager Admin
Beta
(roles/ dataprocrm.admin
)
Grants full access to all Dataproc Resource Manager resources. Intended for users that need to create and delete any Dataproc Resource Manager resources.
dataprocrm.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Resource Manager Viewer
Beta
(roles/ dataprocrm.viewer
)
Grants read access to all Dataproc Resource Manager resources. Intended for users that need read-only access to Dataproc Resource Manager resources.
dataprocrm.locations.*
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodes.get
dataprocrm.nodes.list
dataprocrm. nodes. mintOAuthToken
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.get
dataprocrm.workloads.list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Admin
Beta
(roles/ developerconnect.admin
)
Full access to Developer Connect resources.
developerconnect.connections.*
developerconnect. gitRepositoryLinks. create
developerconnect. gitRepositoryLinks. delete
developerconnect. gitRepositoryLinks. fetchGitRefs
developerconnect. gitRepositoryLinks. get
developerconnect. gitRepositoryLinks. list
developerconnect.locations.*
developerconnect.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Read Token Accessor
Beta
(roles/ developerconnect.readTokenAccessor
)
Grants access to Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect. connections. get
developerconnect. gitRepositoryLinks. fetchReadToken
developerconnect. gitRepositoryLinks. get
Developer Connect Token Accessor
Beta
(roles/ developerconnect.tokenAccessor
)
Grants access to Read/Write and Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect. connections. get
developerconnect. gitRepositoryLinks. fetchReadToken
developerconnect. gitRepositoryLinks. fetchReadWriteToken
developerconnect. gitRepositoryLinks. get
Developer Connect User
Beta
(roles/ developerconnect.user
)
Grants access to view the connection and to the features that interact with the actual repository such as reading content from the repository
developerconnect. connections. fetchGitHubInstallations
developerconnect. connections. fetchLinkableGitRepositories
developerconnect. connections. get
developerconnect. connections. list
developerconnect. gitRepositoryLinks. fetchGitRefs
developerconnect. gitRepositoryLinks. get
developerconnect. gitRepositoryLinks. list
developerconnect.locations.*
developerconnect. operations. get
developerconnect. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Viewer
Beta
(roles/ developerconnect.viewer
)
Readonly access to Developer Connect resources.
developerconnect. connections. get
developerconnect. connections. list
developerconnect. gitRepositoryLinks. get
developerconnect. gitRepositoryLinks. list
developerconnect.locations.*
developerconnect. operations. get
developerconnect. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine Admin
(roles/ discoveryengine.admin
)
Grants full access to all discoveryengine resources.
discoveryengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine Editor
(roles/ discoveryengine.editor
)
Grants read and write access to all discovery engine resources.
discoveryengine.aclConfigs.get
discoveryengine.analytics.*
discoveryengine.answers.get
discoveryengine.branches.*
discoveryengine. cmekConfigs. get
discoveryengine. cmekConfigs. list
discoveryengine. collections. get
discoveryengine. collections. list
discoveryengine. completionConfigs. completeQuery
discoveryengine. completionConfigs. get
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine. conversations.*
discoveryengine. dataStores. completeQuery
discoveryengine.dataStores.get
discoveryengine. dataStores. list
discoveryengine. documentProcessingConfigs. get
discoveryengine. documents. batchGetDocumentsMetadata
discoveryengine. documents. create
discoveryengine. documents. delete
discoveryengine.documents.get
discoveryengine. documents. import
discoveryengine.documents.list
discoveryengine. documents. update
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine. evaluations. get
discoveryengine. evaluations. list
discoveryengine. groundingConfigs. check
discoveryengine.models.*
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine. rankingConfigs. rank
discoveryengine. sampleQueries.*
discoveryengine. sampleQuerySets.*
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine. schemas. preview
discoveryengine. schemas. validate
discoveryengine. servingConfigs. answer
discoveryengine. servingConfigs. get
discoveryengine. servingConfigs. list
discoveryengine. servingConfigs. recommend
discoveryengine. servingConfigs. search
discoveryengine.sessions.*
discoveryengine. siteSearchEngines. get
discoveryengine. targetSites. get
discoveryengine. targetSites. list
discoveryengine. userEvents. create
discoveryengine. userEvents. fetchStats
discoveryengine. userEvents. import
discoveryengine. widgetConfigs.*
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine User
Beta
(roles/ discoveryengine.user
)
Grants user-level access to Discovery Engine resources.
discoveryengine.answers.get
discoveryengine. completionConfigs. completeQuery
discoveryengine. servingConfigs. answer
discoveryengine. servingConfigs. search
discoveryengine. sessions. delete
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine. sessions. update
Discovery Engine Viewer
(roles/ discoveryengine.viewer
)
Grants read access to all discovery engine resources.
discoveryengine.aclConfigs.get
discoveryengine.analytics.*
discoveryengine.answers.get
discoveryengine.branches.*
discoveryengine. cmekConfigs. get
discoveryengine. cmekConfigs. list
discoveryengine. collections. get
discoveryengine. collections. list
discoveryengine. completionConfigs. completeQuery
discoveryengine. completionConfigs. get
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine. conversations. converse
discoveryengine. conversations. get
discoveryengine. conversations. list
discoveryengine. dataStores. completeQuery
discoveryengine.dataStores.get
discoveryengine. dataStores. list
discoveryengine. documentProcessingConfigs. get
discoveryengine. documents. batchGetDocumentsMetadata
discoveryengine.documents.get
discoveryengine.documents.list
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine. evaluations. get
discoveryengine. evaluations. list
discoveryengine. groundingConfigs. check
discoveryengine.models.get
discoveryengine.models.list
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine. rankingConfigs. rank
discoveryengine. sampleQueries. get
discoveryengine. sampleQueries. list
discoveryengine. sampleQuerySets. get
discoveryengine. sampleQuerySets. list
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine. schemas. preview
discoveryengine. schemas. validate
discoveryengine. servingConfigs. answer
discoveryengine. servingConfigs. get
discoveryengine. servingConfigs. list
discoveryengine. servingConfigs. recommend
discoveryengine. servingConfigs. search
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine. siteSearchEngines. get
discoveryengine. targetSites. get
discoveryengine. targetSites. list
discoveryengine. userEvents. fetchStats
discoveryengine. widgetConfigs. get
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Admin
Beta
(roles/ enterprisepurchasing.admin
)
Full access to Enterprise Purchasing resources.
enterprisepurchasing.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Editor
Beta
(roles/ enterprisepurchasing.editor
)
Edit access to Enterprise Purchasing resources.
enterprisepurchasing. gcveCuds. get
enterprisepurchasing. gcveCuds. list
enterprisepurchasing. gcveNodePricingInfo. list
enterprisepurchasing. locations.*
enterprisepurchasing. operations. get
enterprisepurchasing. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Viewer
Beta
(roles/ enterprisepurchasing.viewer
)
Readonly access to Enterprise Purchasing resources.
enterprisepurchasing. gcveCuds. get
enterprisepurchasing. gcveCuds. list
enterprisepurchasing. gcveNodePricingInfo. list
enterprisepurchasing. locations.*
enterprisepurchasing. operations. get
enterprisepurchasing. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ essentialcontacts.admin
)
Full access to all essential contacts
essentialcontacts.*
(roles/ essentialcontacts.viewer
)
Viewer for all essential contacts
essentialcontacts.contacts.get
essentialcontacts. contacts. list
Firebase Cloud Messaging API Admin
Beta
(roles/ firebasecloudmessaging.admin
)
Full read/write access to Firebase Cloud Messaging API resources.
cloudmessaging.messages.create
fcmdata.deliverydata.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crash Symbol Uploader
(roles/ firebasecrash.symbolMappingsAdmin
)
Full read/write access to symbol mapping file resources for Firebase Crash Reporting.
firebase.clients.get
firebase.clients.list
resourcemanager.projects.get
Firebase Data Connect API Admin
Beta
(roles/ firebasedataconnect.admin
)
Full access to Firebase Data Connect API resources, including data.
firebasedataconnect.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Data Connect API Data Admin
Beta
(roles/ firebasedataconnect.dataAdmin
)
Full access to data sources.
firebasedataconnect. services. executeGraphql
firebasedataconnect. services. executeGraphqlRead
Firebase Data Connect API Data Viewer
Beta
(roles/ firebasedataconnect.dataViewer
)
Readonly access to data sources.
firebasedataconnect. services. executeGraphqlRead
Firebase Data Connect API Viewer
Beta
(roles/ firebasedataconnect.viewer
)
Readonly access to Firebase Data Connect API resources. Role does not grant access to data.
firebasedataconnect. connectorRevisions. get
firebasedataconnect. connectorRevisions. list
firebasedataconnect. connectors. get
firebasedataconnect. connectors. list
firebasedataconnect. locations.*
firebasedataconnect. operations. get
firebasedataconnect. operations. list
firebasedataconnect. schemaRevisions. get
firebasedataconnect. schemaRevisions. list
firebasedataconnect. schemas. get
firebasedataconnect. schemas. list
firebasedataconnect. services. get
firebasedataconnect. services. list
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Admin
Beta
(roles/ gdchardwaremanagement.admin
)
Full access to GDC Hardware Management resources.
gdchardwaremanagement.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Operator
Beta
(roles/ gdchardwaremanagement.operator
)
Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.
gdchardwaremanagement. changeLogEntries.*
gdchardwaremanagement. comments.*
gdchardwaremanagement. hardware.*
gdchardwaremanagement. hardwareGroups.*
gdchardwaremanagement. locations.*
gdchardwaremanagement. operations. get
gdchardwaremanagement. operations. list
gdchardwaremanagement. orders. create
gdchardwaremanagement. orders. get
gdchardwaremanagement. orders. list
gdchardwaremanagement. orders. update
gdchardwaremanagement.sites.*
gdchardwaremanagement.skus.*
gdchardwaremanagement.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Reader
Beta
(roles/ gdchardwaremanagement.reader
)
Readonly access to GDC Hardware Management resources.
gdchardwaremanagement. changeLogEntries.*
gdchardwaremanagement. comments. get
gdchardwaremanagement. comments. list
gdchardwaremanagement. hardware. get
gdchardwaremanagement. hardware. list
gdchardwaremanagement. hardwareGroups. get
gdchardwaremanagement. hardwareGroups. list
gdchardwaremanagement. locations.*
gdchardwaremanagement. operations. get
gdchardwaremanagement. operations. list
gdchardwaremanagement. orders. get
gdchardwaremanagement. orders. list
gdchardwaremanagement. sites. get
gdchardwaremanagement. sites. list
gdchardwaremanagement.skus.*
gdchardwaremanagement. zones. get
gdchardwaremanagement. zones. list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ identityplatform.admin
)
Full access to Identity Platform resources.
firebaseauth.*
identitytoolkit.*
(roles/ identityplatform.viewer
)
Read access to Identity Platform resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit. tenants. getIamPolicy
identitytoolkit.tenants.list
(roles/ identitytoolkit.admin
)
Full access to Identity Toolkit resources.
firebaseauth.*
identitytoolkit.*
(roles/ identitytoolkit.viewer
)
Read access to Identity Toolkit resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit. tenants. getIamPolicy
identitytoolkit.tenants.list
Apigee Integration Admin
(roles/ integrations.apigeeIntegrationAdminRole
)
A user that has full access to all Apigee integrations.
connectors.actions.*
connectors. connections. executeSqlQuery
connectors.entities.*
connectors.entityTypes.list
integrations. apigeeAuthConfigs.*
integrations. apigeeCertificates.*
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers.*
integrations. apigeeIntegrations.*
integrations. apigeeSfdcChannels.*
integrations. apigeeSfdcInstances.*
integrations. apigeeSuspensions.*
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.get
integrations.executions.list
integrations. integrationVersions. create
integrations. integrationVersions. delete
integrations. integrationVersions. deploy
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrationVersions. update
integrations. integrations. create
integrations. integrations. delete
integrations. integrations. deploy
integrations.integrations.get
integrations. integrations. invoke
integrations.integrations.list
integrations. integrations. update
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Deployer
(roles/ integrations.apigeeIntegrationDeployerRole
)
A developer that can deploy/undeploy Apigee integrations to the integration runtime.
integrations. apigeeIntegrationVers. deploy
integrations. apigeeIntegrationVers. get
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations. list
integrations. integrationVersions. deploy
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrations. deploy
integrations.integrations.get
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Editor
(roles/ integrations.apigeeIntegrationEditorRole
)
A developer that can list, create and update Apigee integrations.
connectors.actions.*
connectors. connections. executeSqlQuery
connectors.entities.*
connectors.entityTypes.list
integrations. apigeeAuthConfigs. create
integrations. apigeeAuthConfigs. get
integrations. apigeeAuthConfigs. list
integrations. apigeeAuthConfigs. update
integrations. apigeeCertificates. create
integrations. apigeeCertificates. get
integrations. apigeeCertificates. list
integrations. apigeeCertificates. update
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers.*
integrations. apigeeIntegrations.*
integrations. apigeeSfdcChannels. create
integrations. apigeeSfdcChannels. get
integrations. apigeeSfdcChannels. list
integrations. apigeeSfdcChannels. update
integrations. apigeeSfdcInstances. create
integrations. apigeeSfdcInstances. get
integrations. apigeeSfdcInstances. list
integrations. apigeeSfdcInstances. update
integrations. authConfigs. create
integrations.authConfigs.get
integrations.authConfigs.list
integrations. authConfigs. update
integrations.certificates.get
integrations.executions.get
integrations.executions.list
integrations. integrationVersions. create
integrations. integrationVersions. delete
integrations. integrationVersions. deploy
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrationVersions. update
integrations. integrations. create
integrations.integrations.get
integrations. integrations. invoke
integrations.integrations.list
integrations. integrations. update
integrations.sfdcChannels.*
integrations.sfdcInstances.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Invoker
(roles/ integrations.apigeeIntegrationInvokerRole
)
A role that can invoke Apigee integrations.
connectors.actions.*
connectors. connections. executeSqlQuery
connectors.entities.*
connectors.entityTypes.list
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers. get
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations.*
integrations.executions.get
integrations.executions.list
integrations. integrationVersions. get
integrations. integrationVersions. invoke
integrations. integrationVersions. list
integrations.integrations.get
integrations. integrations. invoke
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Viewer
(roles/ integrations.apigeeIntegrationsViewer
)
A developer that can list and view Apigee integrations.
integrations. apigeeAuthConfigs. list
integrations. apigeeCertificates. list
integrations. apigeeIntegrationVers. get
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations. list
integrations. apigeeSfdcChannels. list
integrations. apigeeSfdcInstances. list
integrations.authConfigs.get
integrations.authConfigs.list
integrations.certificates.get
integrations.certificates.list
integrations.executions.get
integrations.executions.list
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations.integrations.get
integrations.integrations.list
integrations.sfdcChannels.list
integrations. sfdcInstances. list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Approver
(roles/ integrations.apigeeSuspensionResolver
)
A role that can approve / reject Apigee integrations that contain a suspension/wait task.
integrations. apigeeSuspensions.*
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Viewer
(roles/ integrations.certificateViewer
)
A developer that can list and view Certificates.
integrations.certificates.get
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Admin
(roles/ integrations.integrationAdmin
)
A user that has full access (CRUD) to all integrations.
integrations. apigeeAuthConfigs.*
integrations. apigeeCertificates.*
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers.*
integrations. apigeeIntegrations.*
integrations. apigeeSfdcChannels.*
integrations. apigeeSfdcInstances.*
integrations. apigeeSuspensions.*
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.*
integrations. integrationVersions. create
integrations. integrationVersions. delete
integrations. integrationVersions. deploy
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrationVersions. update
integrations.integrations.*
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
integrations.testCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Deployer
(roles/ integrations.integrationDeployer
)
A developer that can deploy/undeploy integrations to the integration runtime.
integrations. apigeeIntegrationVers. deploy
integrations. apigeeIntegrationVers. get
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations. list
integrations. integrationVersions. deploy
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrations. deploy
integrations.integrations.get
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Editor
(roles/ integrations.integrationEditor
)
A developer that can list, create and update integrations.
integrations. apigeeAuthConfigs. create
integrations. apigeeAuthConfigs. get
integrations. apigeeAuthConfigs. list
integrations. apigeeAuthConfigs. update
integrations. apigeeCertificates. create
integrations. apigeeCertificates. get
integrations. apigeeCertificates. list
integrations. apigeeCertificates. update
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers.*
integrations. apigeeIntegrations.*
integrations. apigeeSfdcChannels. create
integrations. apigeeSfdcChannels. get
integrations. apigeeSfdcChannels. list
integrations. apigeeSfdcChannels. update
integrations. apigeeSfdcInstances. create
integrations. apigeeSfdcInstances. get
integrations. apigeeSfdcInstances. list
integrations. apigeeSfdcInstances. update
integrations. authConfigs. create
integrations.authConfigs.get
integrations.authConfigs.list
integrations. authConfigs. update
integrations.certificates.get
integrations.executions.*
integrations. integrationVersions. create
integrations. integrationVersions. delete
integrations. integrationVersions. deploy
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrationVersions. update
integrations. integrations. create
integrations. integrations. generateOpenApiSpec
integrations.integrations.get
integrations. integrations. invoke
integrations.integrations.list
integrations. integrations. update
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.testCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Invoker
(roles/ integrations.integrationInvoker
)
A role that can invoke integrations.
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers. get
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations.*
integrations.executions.*
integrations. integrationVersions. get
integrations. integrationVersions. invoke
integrations. integrationVersions. list
integrations.integrations.get
integrations. integrations. invoke
integrations.integrations.list
integrations.testCases.get
integrations.testCases.invoke
integrations.testCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Viewer
(roles/ integrations.integrationViewer
)
A developer that can list and view integrations.
integrations. apigeeAuthConfigs. list
integrations. apigeeCertificates. list
integrations. apigeeIntegrationVers. get
integrations. apigeeIntegrationVers. list
integrations. apigeeIntegrations. list
integrations. apigeeSfdcChannels. list
integrations. apigeeSfdcInstances. list
integrations.authConfigs.get
integrations.authConfigs.list
integrations.certificates.get
integrations.certificates.list
integrations.executions.get
integrations.executions.list
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrations. generateOpenApiSpec
integrations.integrations.get
integrations.integrations.list
integrations.sfdcChannels.list
integrations. sfdcInstances. list
integrations.testCases.get
integrations.testCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Security Integration Admin
Beta
(roles/ integrations.securityIntegrationAdmin
)
A user that has full access to all Security integrations.
integrations. securityAuthConfigs.*
integrations. securityExecutions.*
integrations. securityIntegTempVers.*
integrations. securityIntegrationVers.*
integrations. securityIntegrations.*
Application Integration SFDC Instance Admin
(roles/ integrations.sfdcInstanceAdmin
)
A user that has full access (CRUD) to all SFDC instances.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration SFDC Instance Editor
(roles/ integrations.sfdcInstanceEditor
)
A developer that can list, create and update integrations.
integrations. sfdcChannels. create
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations. sfdcChannels. update
integrations. sfdcInstances. create
integrations.sfdcInstances.get
integrations. sfdcInstances. list
integrations. sfdcInstances. update
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration SFDC Instance Viewer
(roles/ integrations.sfdcInstanceViewer
)
A developer that can list and view SFDC instances.
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcInstances.get
integrations. sfdcInstances. list
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Approver
(roles/ integrations.suspensionResolver
)
A role that can resolve suspended integrations.
integrations. apigeeSuspensions.*
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Admin
Beta
(roles/ issuerswitch.accountManagerAdmin
)
This role can perform all account manager related operations
issuerswitch. accountManagerTransactions.*
issuerswitch.managedAccounts.*
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Transactions Admin
Beta
(roles/ issuerswitch.accountManagerTransactionsAdmin
)
This role can perform all account manager transactions related operations
issuerswitch. accountManagerTransactions.*
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Transactions Viewer
Beta
(roles/ issuerswitch.accountManagerTransactionsViewer
)
This role can view all account manager transactions
issuerswitch. accountManagerTransactions. list
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Admin
Beta
(roles/ issuerswitch.admin
)
Access to all issuer switch roles
issuerswitch.*
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Participants Admin
Beta
(roles/ issuerswitch.issuerParticipantsAdmin
)
Full access to issuer switch participants
issuerswitch. issuerParticipants.*
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Resolutions Admin
Beta
(roles/ issuerswitch.resolutionsAdmin
)
Full access to issuer switch resolutions
issuerswitch. complaintTransactions. list
issuerswitch.complaints.*
issuerswitch.disputes.*
issuerswitch.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Rules Admin
Beta
(roles/ issuerswitch.rulesAdmin
)
Full access to issuer switch rules
issuerswitch.ruleMetadata.list
issuerswitch. ruleMetadataValues.*
issuerswitch.rules.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Rules Viewer
Beta
(roles/ issuerswitch.rulesViewer
)
This role can view rules and related metadata.
issuerswitch.ruleMetadata.list
issuerswitch. ruleMetadataValues. list
issuerswitch.rules.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Transactions Viewer
Beta
(roles/ issuerswitch.transactionsViewer
)
This role can view all transactions
issuerswitch. complaintTransactions. list
issuerswitch. financialTransactions. list
issuerswitch. mandateTransactions. list
issuerswitch. metadataTransactions. list
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ kubernetesmetadata.publisher
)
Publisher of Kubernetes clusters metadata
kubernetesmetadata.*
Cloud License Manager Admin
(roles/ licensemanager.admin
)
Full access to Cloud License Manager resources.
licensemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud License Manager Viewer
(roles/ licensemanager.viewer
)
Readonly access to Cloud License Manager resources.
licensemanager. configurations. get
licensemanager. configurations. list
licensemanager.instances.*
licensemanager.locations.*
licensemanager.operations.get
licensemanager.operations.list
licensemanager.products.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Admin
Beta
(roles/ managedflink.admin
)
Full access to Managed Flink resources.
managedflink.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Developer
Beta
(roles/ managedflink.developer
)
Full access to Managed Flink Jobs and Sessions and read access to Deployments.
managedflink.deployments.get
managedflink.deployments.list
managedflink.jobs.*
managedflink.locations.*
managedflink.operations.get
managedflink.operations.list
managedflink.sessions.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Viewer
Beta
(roles/ managedflink.viewer
)
Readonly access to Managed Flink resources.
managedflink.deployments.get
managedflink.deployments.list
managedflink.jobs.get
managedflink.jobs.list
managedflink.locations.*
managedflink.operations.get
managedflink.operations.list
managedflink.sessions.get
managedflink.sessions.list
resourcemanager.projects.get
resourcemanager.projects.list
Managed Kafka Admin
Beta
(roles/ managedkafka.admin
)
Full access to Managed Kafka resources.
managedkafka.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Client
Beta
(roles/ managedkafka.client
)
Provides access to connect to the Kafka servers in a cluster, i.e. provides Kafka data plane access. Intended for, e.g., producers and consumers.
managedkafka.clusters.connect
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.consumerGroups.*
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Cluster Editor
Beta
(roles/ managedkafka.clusterEditor
)
Provides read and write access to Kafka clusters. Intended for, e.g., IT Departments that provision Kafka clusters, but need not be able to read or modify topics or consumer groups.
managedkafka.clusters.create
managedkafka.clusters.delete
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.clusters.update
managedkafka. consumerGroups. get
managedkafka. consumerGroups. list
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Consumer Group Editor
Beta
(roles/ managedkafka.consumerGroupEditor
)
Provides read and write access to consumer group metadata. Intended for, e.g., developers who configure consumer groups.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.consumerGroups.*
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Topic Editor
Beta
(roles/ managedkafka.topicEditor
)
Provides read and write access to topic metadata. Intended for, e.g., developers who configure topics.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka. consumerGroups. get
managedkafka. consumerGroups. list
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Viewer
Beta
(roles/ managedkafka.viewer
)
Readonly access to Managed Kafka resources.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka. consumerGroups. get
managedkafka. consumerGroups. list
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Mandiant Attack Surface Management Editor
Beta
(roles/ mandiant.attackSurfaceManagementEditor
)
Access to write Attack Surface Management
mandiant. genericAttackSurfaceManagements. create
mandiant. genericAttackSurfaceManagements. delete
mandiant. genericAttackSurfaceManagements. update
mandiant. genericPlatforms. create
mandiant. genericPlatforms. delete
mandiant. genericPlatforms. update
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Attack Surface Management Viewer
Beta
(roles/ mandiant.attackSurfaceManagementViewer
)
Access to read Attack Surface Management
mandiant. genericAttackSurfaceManagements. get
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Digital Threat Monitoring Editor
Beta
(roles/ mandiant.digitalThreatMonitoringEditor
)
Access to write Digital Threat Monitoring
mandiant. genericDigitalThreatMonitorings. create
mandiant. genericDigitalThreatMonitorings. update
mandiant. genericPlatforms. create
mandiant. genericPlatforms. update
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Digital Threat Monitoring Viewer
Beta
(roles/ mandiant.digitalThreatMonitoringViewer
)
Access to read Digital Threat Monitoring
mandiant. genericDigitalThreatMonitorings. get
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Expertise On Demand Editor
Beta
(roles/ mandiant.expertiseOnDemandEditor
)
Access to write Expertise On Demand
mandiant. genericExpertiseOnDemands. create
mandiant. genericExpertiseOnDemands. delete
mandiant. genericExpertiseOnDemands. update
mandiant. genericPlatforms. create
mandiant. genericPlatforms. delete
mandiant. genericPlatforms. update
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Expertise On Demand Viewer
Beta
(roles/ mandiant.expertiseOnDemandViewer
)
Access to read Expertise On Demand
mandiant. genericExpertiseOnDemands. get
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Threat Intel Editor
Beta
(roles/ mandiant.threatIntelEditor
)
Access to write Threat Intel
mandiant. genericPlatforms. create
mandiant. genericPlatforms. delete
mandiant. genericPlatforms. update
mandiant. genericThreatIntels. create
mandiant. genericThreatIntels. delete
mandiant. genericThreatIntels. update
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Threat Intel Viewer
Beta
(roles/ mandiant.threatIntelViewer
)
Access to read Threat Intel
mandiant.genericPlatforms.get
mandiant. genericThreatIntels. get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Validation Editor
Beta
(roles/ mandiant.validationEditor
)
Access to write Validation
mandiant. genericPlatforms. create
mandiant. genericPlatforms. delete
mandiant. genericPlatforms. update
mandiant. genericValidations. create
mandiant. genericValidations. delete
mandiant. genericValidations. update
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Validation Viewer
Beta
(roles/ mandiant.validationViewer
)
Access to read Validation
mandiant.genericPlatforms.get
mandiant. genericValidations. get
resourcemanager.projects.get
resourcemanager.projects.list
Mobility Solutions Overages Viewer
Beta
(roles/ mapsanalytics.mobilitySolutionsOverageViewer
)
Grants read-only access to Mobility Solutions Overages metric data.
mapsanalytics. metricData. queryMobilitySolutionsOverageData
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
Maps Analytics Viewer
Beta
(roles/ mapsanalytics.viewer
)
Grants read-only access to all of the Maps Analytics resources.
mapsanalytics.metricData.query
mapsanalytics. metricMetadata. list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
(roles/ mapsplatformdatasets.admin
)
Grants read and write access to all the Maps Platform Datasets API resources
mapsadmin.clientStyles.*
mapsplatformdatasets.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ mapsplatformdatasets.viewer
)
Grants read-only access to all the Maps Platform Datasets API resources
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsplatformdatasets. datasets. export
mapsplatformdatasets. datasets. get
mapsplatformdatasets. datasets. list
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Admin
Beta
(roles/ marketplacesolutions.admin
)
Full access to Marketplace Solutions resources.
marketplacesolutions.*
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Editor
Beta
(roles/ marketplacesolutions.editor
)
Edit access to Marketplace Solutions resources.
marketplacesolutions. locations.*
marketplacesolutions. operations. get
marketplacesolutions. operations. list
marketplacesolutions. powerImages.*
marketplacesolutions. powerInstances. get
marketplacesolutions. powerInstances. list
marketplacesolutions. powerInstances. update
marketplacesolutions. powerNetworks.*
marketplacesolutions. powerSshKeys.*
marketplacesolutions. powerVolumes.*
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Viewer
Beta
(roles/ marketplacesolutions.viewer
)
Readonly access to Marketplace Solutions resources.
marketplacesolutions. locations.*
marketplacesolutions. operations. get
marketplacesolutions. operations. list
marketplacesolutions. powerImages.*
marketplacesolutions. powerInstances. get
marketplacesolutions. powerInstances. list
marketplacesolutions. powerNetworks.*
marketplacesolutions. powerSshKeys.*
marketplacesolutions. powerVolumes.*
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Admin
Beta
(roles/ memorystore.admin
)
Full access to Memorystore resources.
memorystore.instances.create
memorystore.instances.delete
memorystore.instances.get
memorystore.instances.list
memorystore.instances.update
memorystore.locations.*
memorystore.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore DB Connector User
Beta
(roles/ memorystore.dbConnectionUser
)
Access to connecting to Memorystore Server db.
memorystore.instances.connect
Memorystore Viewer
Beta
(roles/ memorystore.viewer
)
Readonly access to Memorystore resources.
memorystore.instances.get
memorystore.instances.list
memorystore.locations.*
memorystore.operations.get
memorystore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Admin
(roles/ nestconsole.homeDeveloperAdmin
)
Admin access to Google Home Developer Console resources
nestconsole.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Editor
(roles/ nestconsole.homeDeveloperEditor
)
Read-Write access to Google Home Developer Console resources
nestconsole. smarthomePreviews. update
nestconsole. smarthomeProjects. get
nestconsole. smarthomeProjects. update
nestconsole. smarthomeVersions.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Reader
(roles/ nestconsole.homeDeveloperViewer
)
Read-only access to Google Home Developer Console resources
nestconsole. smarthomeProjects. get
nestconsole. smarthomeVersions. get
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud NetApp Volumes Admin
Beta
(roles/ netapp.admin
)
Full access to Google Cloud NetApp Volumes resources.
netapp.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud NetApp Volumes Viewer
Beta
(roles/ netapp.viewer
)
Readonly access to Google Cloud NetApp Volumes resources.
netapp.activeDirectories.get
netapp.activeDirectories.list
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backups.get
netapp.backups.list
netapp.kmsConfigs.get
netapp.kmsConfigs.list
netapp.locations.*
netapp.operations.get
netapp.operations.list
netapp.replications.get
netapp.replications.list
netapp.snapshots.get
netapp.snapshots.list
netapp.storagePools.get
netapp.storagePools.list
netapp.volumes.get
netapp.volumes.list
resourcemanager.projects.get
resourcemanager.projects.list
OAuth Config Editor
Beta
(roles/ oauthconfig.editor
)
Read/write access to OAuth config resources
clientauthconfig.*
oauthconfig.*
OAuth Config Viewer
Beta
(roles/ oauthconfig.viewer
)
Read-only access to OAuth config resources
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.clients.get
clientauthconfig.clients.list
oauthconfig.clientpolicy.get
oauthconfig.testusers.get
oauthconfig.verification.get
Oracle Database@Google Cloud admin
(roles/ oracledatabase.admin
)
Grants full access to manage all Oracle Database resources.
oracledatabase.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Autonomous Database Admin
(roles/ oracledatabase.autonomousDatabaseAdmin
)
Grants full access to manage all Autonomous Database resources.
oracledatabase. autonomousDatabaseBackups.*
oracledatabase. autonomousDatabaseCharacterSets. list
oracledatabase. autonomousDatabases.*
oracledatabase. autonomousDbVersions. list
oracledatabase. entitlements. list
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Autonomous Database Viewer
(roles/ oracledatabase.autonomousDatabaseViewer
)
Grants read access to see all Autonomous Database resources.
oracledatabase. autonomousDatabaseBackups. get
oracledatabase. autonomousDatabaseBackups. list
oracledatabase. autonomousDatabaseCharacterSets. list
oracledatabase. autonomousDatabases. get
oracledatabase. autonomousDatabases. list
oracledatabase. autonomousDbVersions. list
oracledatabase. entitlements. list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Exadata Infrastructure Admin
(roles/ oracledatabase.cloudExadataInfrastructureAdmin
)
Grants full access to manage all Exadata Infrastructure resources.
oracledatabase. cloudExadataInfrastructures. create
oracledatabase. cloudExadataInfrastructures. delete
oracledatabase. cloudExadataInfrastructures. get
oracledatabase. cloudExadataInfrastructures. list
oracledatabase. cloudExadataInfrastructures. update
oracledatabase.dbServers.list
oracledatabase. dbSystemShapes. list
oracledatabase. entitlements. list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Exadata Infrastructure Viewer
(roles/ oracledatabase.cloudExadataInfrastructureViewer
)
Grants read access to see all Exadata Infrastructure resources.
oracledatabase. cloudExadataInfrastructures. get
oracledatabase. cloudExadataInfrastructures. list
oracledatabase.dbServers.list
oracledatabase. dbSystemShapes. list
oracledatabase. entitlements. list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud VM Cluster Admin
(roles/ oracledatabase.cloudVmClusterAdmin
)
Grants full access to manage all VM Cluster resources.
oracledatabase. cloudExadataInfrastructures. list
oracledatabase. cloudExadataInfrastructures. use
oracledatabase. cloudVmClusters.*
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase. entitlements. list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud VM Cluster Viewer
(roles/ oracledatabase.cloudVmClusterViewer
)
Grants read access to see all VM Cluster resources.
oracledatabase. cloudVmClusters. get
oracledatabase. cloudVmClusters. list
oracledatabase.dbNodes.list
oracledatabase. entitlements. list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud viewer
(roles/ oracledatabase.viewer
)
Grants view access to all Oracle Database resources.
oracledatabase. autonomousDatabaseBackups. get
oracledatabase. autonomousDatabaseBackups. list
oracledatabase. autonomousDatabaseCharacterSets. list
oracledatabase. autonomousDatabases. get
oracledatabase. autonomousDatabases. list
oracledatabase. autonomousDbVersions. list
oracledatabase. cloudExadataInfrastructures. get
oracledatabase. cloudExadataInfrastructures. list
oracledatabase. cloudVmClusters. get
oracledatabase. cloudVmClusters. list
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase. dbSystemShapes. list
oracledatabase. entitlements. list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Admin
(roles/ parallelstore.admin
)
Full access to Parallelstore resources.
parallelstore.*
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Viewer
(roles/ parallelstore.viewer
)
Readonly access to Parallelstore resources.
parallelstore.instances.get
parallelstore.instances.list
parallelstore.locations.*
parallelstore.operations.get
parallelstore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Admin
Beta
(roles/ parametermanager.admin
)
Grants full access to all Parameter Manager resources. Intended for project admins & owners who need to perform all administrative tasks.
parametermanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Accessor
Beta
(roles/ parametermanager.parameterAccessor
)
Grants read access to ParameterManager ParameterVersion resources. Intended for users & applications that need to perform read operations on ParameterVersion only.
parametermanager.locations.*
parametermanager. parameterVersions. render
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Version Adder
Beta
(roles/ parametermanager.parameterVersionAdder
)
Grants create access to Parameter Manager ParameterVersion resources. Intended for users & applications that need to perform create operations on ParameterVersions only.
parametermanager.locations.*
parametermanager. parameterVersions. create
parametermanager. parameters. get
parametermanager. parameters. list
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Version Manager
Beta
(roles/ parametermanager.parameterVersionManager
)
Grants read & write access to all Parameter Manager ParameterVersion resources. Intended for users & applications that need to view Parameters & perform create/read/update/delete/list operations on ParameterVersions only.
parametermanager.locations.*
parametermanager. parameterVersions. create
parametermanager. parameterVersions. delete
parametermanager. parameterVersions. get
parametermanager. parameterVersions. list
parametermanager. parameterVersions. update
parametermanager. parameters. get
parametermanager. parameters. list
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Viewer
Beta
(roles/ parametermanager.parameterViewer
)
Grants read access to Parameter Manager Parameter & ParameterVersion resources. Intended for users & applications that need to perform read/list operations on Parameters & ParameterVersions only.
parametermanager.locations.*
parametermanager. parameterVersions. get
parametermanager. parameterVersions. list
parametermanager. parameters. get
parametermanager. parameters. list
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Admin
Beta
(roles/ paymentsresellersubscription.partnerAdmin
)
Full access to all Payments Reseller resources, including subscriptions, products and promotions
paymentsresellersubscription.*
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Viewer
Beta
(roles/ paymentsresellersubscription.partnerViewer
)
Read access to all Payments Reseller resources, including subscriptions, products and promotions
paymentsresellersubscription. products. list
paymentsresellersubscription. promotions. list
paymentsresellersubscription. subscriptions. get
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Products Viewer
Beta
(roles/ paymentsresellersubscription.productViewer
)
Read access to Payments Reseller Product resource
paymentsresellersubscription. products. list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ paymentsresellersubscription.promotionViewer
)
Read access to Payments Reseller Promotion resource
paymentsresellersubscription. promotions. list
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Subscriptions Editor
Beta
(roles/ paymentsresellersubscription.subscriptionEditor
)
Write access to Payments Reseller Subscription resource
paymentsresellersubscription. subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Subscriptions Viewer
Beta
(roles/ paymentsresellersubscription.subscriptionViewer
)
Read access to Payments Reseller Subscription resource
paymentsresellersubscription. subscriptions. get
resourcemanager.projects.get
resourcemanager.projects.list
Payments Partner UserSessions Editor
Beta
(roles/ paymentsresellersubscription.userSessionEditor
)
Editor of UserSessions for a Payments Partner
paymentsresellersubscription. userSessions. generate
Activity Analysis Viewer
Beta
(roles/ policyanalyzer.activityAnalysisViewer
)
Viewer user that can read all activity analysis.
policyanalyzer.*
(roles/ policyremediatormanager.policyRemediatorAdmin
)
Grants the ability to enable and disable the usage of the policy remediator for the organization
policyremediatormanager.*
(roles/ policyremediatormanager.policyRemediatorReader
)
Grants the ability to read/view the state of the policy remediator for the organization
policyremediatormanager. locations.*
policyremediatormanager. operations. get
policyremediatormanager. operations. list
policyremediatormanager. remediatorServices. get
Simulator Admin
Beta
(roles/ policysimulator.admin
)
Admin user that can run and access replays.
policysimulator. accessPolicySimulationResults. list
policysimulator. accessPolicySimulations.*
policysimulator. replayResults. list
policysimulator.replays.*
OrgPolicy Simulator Admin
Beta
(roles/ policysimulator.orgPolicyAdmin
)
OrgPolicy Admin that can run and access simulations.
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportResource
cloudasset.assets.listResource
cloudasset. assets. searchAllResources
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy.policies.list
orgpolicy.policy.get
policysimulator. orgPolicyViolations. list
policysimulator. orgPolicyViolationsPreviews.*
resourcemanager. organizations. get
External Account Key Creator
Beta
(roles/ publicca.externalAccountKeyCreator
)
This role can create a new externalAccountKey resource.
publicca. externalAccountKeys. create
resourcemanager.projects.get
resourcemanager.projects.list
Subscription Linking Admin
(roles/ readerrevenuesubscriptionlinking.admin
)
Full access to publication reader resources
readerrevenuesubscriptionlinking.*
resourcemanager.projects.get
resourcemanager.projects.list
Subscription Linking Entitlements Viewer
(roles/ readerrevenuesubscriptionlinking.entitlementsViewer
)
This role can view all publication reader entitlements
readerrevenuesubscriptionlinking. readerEntitlements. get
Subscription Linking Viewer
(roles/ readerrevenuesubscriptionlinking.viewer
)
This role can view all publication reader resources
readerrevenuesubscriptionlinking. readerEntitlements. get
readerrevenuesubscriptionlinking. readers. get
resourcemanager.projects.get
resourcemanager.projects.list
Recommendations Exporter
(roles/ recommender.exporter
)
Exporter of Recommendations
recommender.resources.export
Remote Build Execution Action Cache Writer
Beta
(roles/ remotebuildexecution.actionCacheWriter
)
Remote Build Execution Action Cache Writer
remotebuildexecution. actions. set
remotebuildexecution. blobs. create
Remote Build Execution Artifact Admin
Beta
(roles/ remotebuildexecution.artifactAdmin
)
Remote Build Execution Artifact Admin
remotebuildexecution. actions. create
remotebuildexecution. actions. delete
remotebuildexecution. actions. get
remotebuildexecution.blobs.*
remotebuildexecution. logstreams.*
Remote Build Execution Artifact Creator
Beta
(roles/ remotebuildexecution.artifactCreator
)
Remote Build Execution Artifact Creator
remotebuildexecution. actions. create
remotebuildexecution. actions. get
remotebuildexecution.blobs.*
remotebuildexecution. logstreams.*
Remote Build Execution Artifact Viewer
Beta
(roles/ remotebuildexecution.artifactViewer
)
Remote Build Execution Artifact Viewer
remotebuildexecution. actions. get
remotebuildexecution.blobs.get
remotebuildexecution. logstreams. get
Remote Build Execution Configuration Admin
Beta
(roles/ remotebuildexecution.configurationAdmin
)
Remote Build Execution Configuration Admin
remotebuildexecution. instances.*
remotebuildexecution. workerpools.*
Remote Build Execution Configuration Viewer
Beta
(roles/ remotebuildexecution.configurationViewer
)
Remote Build Execution Configuration Viewer
remotebuildexecution. instances. get
remotebuildexecution. instances. list
remotebuildexecution. workerpools. get
remotebuildexecution. workerpools. list
Remote Build Execution Logstream Writer
Beta
(roles/ remotebuildexecution.logstreamWriter
)
Remote Build Execution Logstream Writer
remotebuildexecution. logstreams. create
remotebuildexecution. logstreams. update
Remote Build Execution Reservation Admin
Beta
(roles/ remotebuildexecution.reservationAdmin
)
Remote Build Execution Reservation Admin
remotebuildexecution. actions. create
remotebuildexecution. actions. delete
remotebuildexecution. actions. get
Remote Build Execution Worker
Beta
(roles/ remotebuildexecution.worker
)
Remote Build Execution Worker
remotebuildexecution. actions. update
remotebuildexecution.blobs.*
remotebuildexecution. botsessions.*
remotebuildexecution. logstreams. create
remotebuildexecution. logstreams. update
Retail Admin
(roles/ retail.admin
)
Full access to Retail api resources.
automlrecommendations. apiKeys. create
automlrecommendations. apiKeys. delete
automlrecommendations. catalogItems.*
automlrecommendations. catalogs.*
automlrecommendations. eventStores. getStats
automlrecommendations. events. create
automlrecommendations. events. list
automlrecommendations. events. purge
automlrecommendations. events. rejoin
automlrecommendations. placements.*
automlrecommendations. recommendations.*
retail.*
Retail Editor
(roles/ retail.editor
)
Full access to Retail api resources except purge, rejoin, and setSponsorship.
automlrecommendations. apiKeys. create
automlrecommendations. apiKeys. delete
automlrecommendations. catalogItems.*
automlrecommendations. catalogs.*
automlrecommendations. eventStores. getStats
automlrecommendations. events. create
automlrecommendations. events. list
automlrecommendations. placements.*
automlrecommendations. recommendations.*
retail.alertConfigs.*
retail. attributesConfigs. addCatalogAttribute
retail. attributesConfigs. exportCatalogAttributes
retail.attributesConfigs.get
retail. attributesConfigs. importCatalogAttributes
retail. attributesConfigs. replaceCatalogAttribute
retail. attributesConfigs. update
retail.branches.*
retail.catalogs.*
retail.controls.*
retail.experiments.*
retail.models.*
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.get
retail.servingConfigs.*
retail.userEvents.create
retail.userEvents.import
Retail Viewer
(roles/ retail.viewer
)
Grants access to read all resources in Retail.
automlrecommendations. catalogItems. get
automlrecommendations. catalogItems. list
automlrecommendations. catalogs. getStats
automlrecommendations. catalogs. list
automlrecommendations. eventStores. getStats
automlrecommendations. events. list
automlrecommendations. placements. getStats
automlrecommendations. placements. list
automlrecommendations. recommendations. list
retail.alertConfigs.get
retail. attributesConfigs. exportCatalogAttributes
retail.attributesConfigs.get
retail.branches.*
retail.catalogs.completeQuery
retail. catalogs. exportAnalyticsMetrics
retail.catalogs.list
retail.controls.export
retail.controls.get
retail.controls.list
retail.experiments.get
retail.experiments.list
retail. experiments. loadExperimentLookerDashboard
retail. experiments. queryTrafficMetrics
retail.models.get
retail.models.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
retail.servingConfigs.get
retail.servingConfigs.list
retail.servingConfigs.predict
retail.servingConfigs.search
RISC Configuration Admin
Beta
(roles/ riscconfigs.admin
)
Read/write access to RISC config resources.
clientauthconfig.clients.list
riscconfigurationservice.*
RISC Configuration Viewer
Beta
(roles/ riscconfigs.viewer
)
Read-only access to RISC config resources.
clientauthconfig.clients.list
riscconfigurationservice. riscconfigs. get
Route Optimization Editor
(roles/ routeoptimization.editor
)
This role can create long-running operations via BatchOptimizeTours.
resourcemanager.projects.get
resourcemanager.projects.list
routeoptimization.*
Route Optimization Viewer
(roles/ routeoptimization.viewer
)
This role can view any long-running Operations.
resourcemanager.projects.get
resourcemanager.projects.list
routeoptimization. operations. get
Serverless Integrations Developer
Beta
(roles/ runapps.developer
)
Access to create and change Serverless Integrations and their configuration.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.*
runapps.deployments.get
runapps.deployments.list
runapps.locations.*
runapps.operations.*
Serverless Integrations Operator
Beta
(roles/ runapps.operator
)
Access to deploy Serverless Integrations.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.get
runapps.applications.getStatus
runapps.applications.list
runapps.deployments.*
runapps.locations.*
runapps.operations.*
Serverless Integrations Viewer
Beta
(roles/ runapps.viewer
)
Read-only access to Serverless Integrations resources.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.get
runapps.applications.getStatus
runapps.applications.list
runapps.deployments.get
runapps.deployments.list
runapps.locations.*
runapps.operations.get
runapps.operations.list
Cloud RuntimeConfig Admin
(roles/ runtimeconfig.admin
)
Full access to RuntimeConfig resources.
runtimeconfig.*
(roles/ securedlandingzone.bqdwOrgRemediator
)
Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.
accesscontextmanager. servicePerimeters. get
accesscontextmanager. servicePerimeters. list
accesscontextmanager. servicePerimeters. update
(roles/ securedlandingzone.bqdwProjectRemediator
)
Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.datasets.update
cloudkms.cryptoKeys.get
cloudkms. cryptoKeys. getIamPolicy
cloudkms.cryptoKeys.list
cloudkms. cryptoKeys. setIamPolicy
cloudkms.cryptoKeys.update
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.setIamPolicy
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
resourcemanager. projects. update
serviceusage.services.use
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.buckets.update
Overwatch Activator
Beta
(roles/ securedlandingzone.overwatchActivator
)
This role can activate or suspend Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone. overwatches. activate
securedlandingzone. overwatches. suspend
Overwatch Admin
Beta
(roles/ securedlandingzone.overwatchAdmin
)
Full access to Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone.*
Overwatch Viewer
Beta
(roles/ securedlandingzone.overwatchViewer
)
This role can view all properties of Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone. operations. get
securedlandingzone. overwatches. get
securedlandingzone. overwatches. list
Security Posture Admin
(roles/ securityposture.admin
)
Full access to Security Posture service APIs.
orgpolicy.*
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.*
Security Posture Deployer
(roles/ securityposture.postureDeployer
)
Mutate and read permissions to the Posture Deployment resource.
orgpolicy.*
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.operations.get
securityposture. postureDeployments.*
Security Posture Deployments Viewer
(roles/ securityposture.postureDeploymentsViewer
)
Read only access to the Posture Deployment resource.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
Security Posture Resource Editor
(roles/ securityposture.postureEditor
)
Mutate and read permissions to the Posture resource.
securityposture.operations.get
securityposture.postures.*
Security Posture Resource Viewer
(roles/ securityposture.postureViewer
)
Read only access to the Posture resource.
resourcemanager. organizations. get
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Security Posture Shift-Left Validator
(roles/ securityposture.reportCreator
)
Create access for Reports, e.g. IaC Validation Report.
securityposture.operations.get
securityposture.reports.*
Security Posture Viewer
(roles/ securityposture.viewer
)
Read only access to all the SecurityPosture Service resources.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureTemplates.*
securityposture.postures.get
securityposture.postures.list
Personalized Service Health Viewer
(roles/ servicehealth.viewer
)
Readonly access to Personalized Service Health resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicehealth.*
Security Insights Viewer
Beta
(roles/ servicesecurityinsights.securityInsightsViewer
)
Read-only access to Security Insights resources
servicesecurityinsights.*
Speaker ID Admin
(roles/ speakerid.admin
)
Grants full access to all Speaker ID resources, including project settings.
speakerid.*
Speaker ID Editor
(roles/ speakerid.editor
)
Grants access to read and write all Speaker ID resources.
speakerid.phrases.*
speakerid.speakers.*
Speaker ID Verifier
(roles/ speakerid.verifier
)
Grants read access to all Speaker ID resources, and allows verification.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify
Speaker ID Viewer
(roles/ speakerid.viewer
)
Grants read access to all Speaker ID resources.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
Cloud Speech Administrator
(roles/ speech.admin
)
Grants full access to all resources in Speech-to-text
speech.*
Cloud Speech Client
(roles/ speech.client
)
Grants access to the recognition APIs.
speech.adaptations.execute
speech.customClasses.get
speech.customClasses.list
speech.locations.*
speech.operations.get
speech.operations.list
speech.operations.wait
speech.phraseSets.get
speech.phraseSets.list
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
Cloud Speech Editor
(roles/ speech.editor
)
Grants access to edit resources in Speech-to-text
speech.adaptations.execute
speech.customClasses.*
speech.locations.*
speech.operations.*
speech.phraseSets.*
speech.recognizers.*
Storage Insights Admin
(roles/ storageinsights.admin
)
Full access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.*
Storage Insights Analyst
(roles/ storageinsights.analyst
)
Data access to Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights. datasetConfigs. get
storageinsights. datasetConfigs. linkDataset
storageinsights. datasetConfigs. list
storageinsights. datasetConfigs. unlinkDataset
storageinsights.locations.*
storageinsights.operations.get
storageinsights. operations. list
storageinsights. reportConfigs. get
storageinsights. reportConfigs. list
storageinsights. reportDetails.*
Storage Insights Viewer
(roles/ storageinsights.viewer
)
Read-only access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights. datasetConfigs. get
storageinsights. datasetConfigs. list
storageinsights.locations.*
storageinsights.operations.get
storageinsights. operations. list
storageinsights. reportConfigs. get
storageinsights. reportConfigs. list
storageinsights. reportDetails.*
Subscribe with Google Developer
Beta
(roles/ subscribewithgoogledeveloper.developer
)
Access DevTools for Subscribe with Google
resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper. tools. get
Telco Automation Admin
Beta
(roles/ telcoautomation.admin
)
Full access to Telco Automation resources.
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.timeSeries.list
observability.scopes.get
resourcemanager.projects.get
serviceusage.quotas.*
serviceusage.services.*
source.repos.get
source.repos.list
telcoautomation.*
Telco Automation Blueprint Designer
Beta
(roles/ telcoautomation.blueprintDesigner
)
Ability to manage blueprints
telcoautomation. blueprints. create
telcoautomation. blueprints. delete
telcoautomation.blueprints.get
telcoautomation. blueprints. list
telcoautomation. blueprints. propose
telcoautomation. blueprints. update
telcoautomation. deployments. computeStatus
telcoautomation. deployments. get
telcoautomation. deployments. list
telcoautomation. hydratedDeployments. get
telcoautomation. hydratedDeployments. list
telcoautomation. orchestrationClusters. get
telcoautomation. orchestrationClusters. list
telcoautomation. publicBlueprints.*
Telco Automation Deployment Admin
Beta
(roles/ telcoautomation.deploymentAdmin
)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation. blueprints. list
telcoautomation.deployments.*
telcoautomation. hydratedDeployments.*
telcoautomation. orchestrationClusters. get
telcoautomation. orchestrationClusters. list
Telco Automation Tier 1 Operations Admin
Beta
(roles/ telcoautomation.opsAdminTier1
)
Ability to get status of deployments
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation. blueprints. list
telcoautomation. deployments. computeStatus
telcoautomation. deployments. get
telcoautomation. deployments. list
telcoautomation. hydratedDeployments. get
telcoautomation. hydratedDeployments. list
telcoautomation. orchestrationClusters. get
telcoautomation. orchestrationClusters. list
Telco Automation Tier 4 Operations Admin
Beta
(roles/ telcoautomation.opsAdminTier4
)
Ability to manage deployments and their status
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation. blueprints. list
telcoautomation.deployments.*
telcoautomation. hydratedDeployments.*
telcoautomation. orchestrationClusters. get
telcoautomation. orchestrationClusters. list
Telco Automation Service Orchestrator
Beta
(roles/ telcoautomation.serviceOrchestrator
)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation. blueprints. list
telcoautomation.deployments.*
telcoautomation. hydratedDeployments.*
telcoautomation. orchestrationClusters. get
telcoautomation. orchestrationClusters. list
Timeseries Insights DataSet Editor
Beta
(roles/ timeseriesinsights.datasetsEditor
)
Edit access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Owner
Beta
(roles/ timeseriesinsights.datasetsOwner
)
Full access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Viewer
Beta
(roles/ timeseriesinsights.datasetsViewer
)
Read-only access (List and Query) to DataSets.
timeseriesinsights. datasets. evaluate
timeseriesinsights. datasets. list
timeseriesinsights. datasets. query
timeseriesinsights.locations.*
Traffic Director Client
Beta
(roles/ trafficdirector.client
)
Fetch service configurations and report metrics.
trafficdirector.*
Translation Hub Admin
Beta
(roles/ translationhub.admin
)
Admin of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate. customModels. get
cloudtranslate. customModels. list
cloudtranslate. customModels. predict
cloudtranslate. glossaries. create
cloudtranslate. glossaries. delete
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate. glossaries. predict
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.*
Translation Hub Portal User
Beta
(roles/ translationhub.portalUser
)
Portal user of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate. customModels. get
cloudtranslate. customModels. list
cloudtranslate. customModels. predict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate. glossaries. predict
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.portals.get
translationhub.portals.list
Visual Inspection AI Solution Editor
(roles/ visualinspection.editor
)
Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics
visualinspection. annotationSets.*
visualinspection. annotationSpecs.*
visualinspection.annotations.*
visualinspection.datasets.*
visualinspection.images.*
visualinspection.locations.get
visualinspection. locations. list
visualinspection. modelEvaluations.*
visualinspection.models.*
visualinspection.modules.*
visualinspection.operations.*
visualinspection. solutionArtifacts.*
visualinspection.solutions.*
Visual Inspection AI Usage Metrics Reporter
(roles/ visualinspection.usageMetricsReporter
)
ReportUsageMetric access to Visual Inspection AI Service
visualinspection. locations. reportUsageMetrics
Visual Inspection AI Viewer
(roles/ visualinspection.viewer
)
Read access to Visual Inspection AI resources
visualinspection. annotationSets. get
visualinspection. annotationSets. list
visualinspection. annotationSpecs. get
visualinspection. annotationSpecs. list
visualinspection. annotations. get
visualinspection. annotations. list
visualinspection. datasets. export
visualinspection.datasets.get
visualinspection.datasets.list
visualinspection.images.get
visualinspection.images.list
visualinspection.locations.get
visualinspection. locations. list
visualinspection. modelEvaluations.*
visualinspection.models.get
visualinspection.models.list
visualinspection.modules.get
visualinspection.modules.list
visualinspection.operations.*
visualinspection. solutionArtifacts. get
visualinspection. solutionArtifacts. list
visualinspection. solutionArtifacts. predict
visualinspection.solutions.get
visualinspection. solutions. list
PAM roles
Permissions
Privileged Access Manager Admin
(roles/ privilegedaccessmanager.admin
)
Full access to Privileged Access Manager resources.
privilegedaccessmanager.*
resourcemanager.projects.get
Privileged Access Manager Viewer
(roles/ privilegedaccessmanager.viewer
)
Readonly access to Privileged Access Manager resources.
privilegedaccessmanager. entitlements. get
privilegedaccessmanager. entitlements. list
privilegedaccessmanager. grants. get
privilegedaccessmanager. grants. list
privilegedaccessmanager. locations. get
privilegedaccessmanager. locations. list
privilegedaccessmanager. operations. get
privilegedaccessmanager. operations. list
resourcemanager.projects.get
Project roles
Permissions
Browser
(roles/ browser
)
Read access to browse the hierarchy for a project, including the folder, organization, and allow
policy. This role doesn't include permission to view resources in the project.
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Proximity Beacon roles
Permissions
Beacon Attachment Editor
(roles/ proximitybeacon.attachmentEditor
)
Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.
proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon. namespaces. list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Publisher
(roles/ proximitybeacon.attachmentPublisher
)
Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.
proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Viewer
(roles/ proximitybeacon.attachmentViewer
)
Can view all attachments under a namespace; no beacon or namespace permissions.
proximitybeacon. attachments. get
proximitybeacon. attachments. list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Editor
(roles/ proximitybeacon.beaconEditor
)
Necessary access to register, modify, and view beacons; no attachment or namespace permissions.
proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list
Pub/Sub roles
Permissions
Pub/Sub Admin
(roles/ pubsub.admin
)
Provides full access to topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Editor
(roles/ pubsub.editor
)
Provides access to modify topics and subscriptions, and access to publish
and consume messages.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub. topics. detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Publisher
(roles/ pubsub.publisher
)
Provides access to publish messages to a topic.
Lowest-level resources where you can grant this role:
pubsub.topics.publish
Pub/Sub Subscriber
(roles/ pubsub.subscriber
)
Provides access to consume messages from a subscription and to attach
subscriptions to a topic.
Lowest-level resources where you can grant this role:
Snapshot
Subscription
Topic
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub. topics. attachSubscription
Pub/Sub Viewer
(roles/ pubsub.viewer
)
Provides access to view topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Lite roles
Permissions
Pub/Sub Lite Admin
(roles/ pubsublite.admin
)
Full access to topics, subscriptions and reservations.
pubsublite.*
Pub/Sub Lite Editor
(roles/ pubsublite.editor
)
Modify topics, subscriptions and reservations, publish and consume messages.
pubsublite.*
Pub/Sub Lite Publisher
(roles/ pubsublite.publisher
)
Publish messages to a topic.
pubsublite. locations. openKafkaStream
pubsublite. topics. getPartitions
pubsublite.topics.publish
Pub/Sub Lite Subscriber
(roles/ pubsublite.subscriber
)
Subscribe to and read messages from a topic.
pubsublite. locations. openKafkaStream
pubsublite.operations.get
pubsublite. subscriptions. getCursor
pubsublite.subscriptions.seek
pubsublite. subscriptions. setCursor
pubsublite. subscriptions. subscribe
pubsublite. topics. computeHeadCursor
pubsublite. topics. computeMessageStats
pubsublite. topics. computeTimeCursor
pubsublite. topics. getPartitions
pubsublite.topics.subscribe
Pub/Sub Lite Viewer
(roles/ pubsublite.viewer
)
View topics, subscriptions and reservations.
pubsublite.operations.*
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite. reservations. listTopics
pubsublite.subscriptions.get
pubsublite. subscriptions. getCursor
pubsublite.subscriptions.list
pubsublite.topics.get
pubsublite. topics. getPartitions
pubsublite.topics.list
pubsublite. topics. listSubscriptions
Rapid Migration Assessment roles
Permissions
Rapid Migration Assessment Admin
(roles/ rma.admin
)
Full access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
Rapid Migration Assessment Runner
(roles/ rma.runner
)
Update and Read access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.*
rma.operations.get
rma.operations.list
Rapid Migration Assessment Viewer
(roles/ rma.viewer
)
Read-only access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list
reCAPTCHA Enterprise roles
Permissions
reCAPTCHA Enterprise Admin
Beta
(roles/ recaptchaenterprise.admin
)
Access to view and modify reCAPTCHA Enterprise keys
monitoring.timeSeries.list
recaptchaenterprise. firewallpolicies.*
recaptchaenterprise.keys.*
recaptchaenterprise. metrics. get
recaptchaenterprise. projectmetadata.*
resourcemanager.projects.get
resourcemanager.projects.list
reCAPTCHA Enterprise Agent
Beta
(roles/ recaptchaenterprise.agent
)
Access to create and annotate reCAPTCHA Enterprise assessments
recaptchaenterprise. assessments.*
recaptchaenterprise. firewallpolicies. list
recaptchaenterprise. relatedaccountgroupmemberships. list
recaptchaenterprise. relatedaccountgroups. list
resourcemanager.projects.get
resourcemanager.projects.list
reCAPTCHA Enterprise Viewer
Beta
(roles/ recaptchaenterprise.viewer
)
Access to view reCAPTCHA Enterprise keys and metrics
monitoring.timeSeries.list
recaptchaenterprise. firewallpolicies. get
recaptchaenterprise. firewallpolicies. list
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
recaptchaenterprise. metrics. get
recaptchaenterprise. projectmetadata. get
resourcemanager.projects.get
resourcemanager.projects.list
Recommendations AI roles
Permissions
Recommendations AI Admin
Beta
(roles/ automlrecommendations.admin
)
Full access to all Recommendations AI resources.
automlrecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.purge
retail.products.update
retail.retailProjects.get
retail.userEvents.*
serviceusage.services.get
serviceusage.services.list
Recommendations AI Admin Viewer
Beta
(roles/ automlrecommendations.adminViewer
)
Viewer of all Recommendations AI resources.
automlrecommendations. apiKeys. list
automlrecommendations. catalogItems. get
automlrecommendations. catalogItems. list
automlrecommendations. catalogs. getStats
automlrecommendations. catalogs. list
automlrecommendations. eventStores.*
automlrecommendations. events. get
automlrecommendations. events. list
automlrecommendations. placements. getStats
automlrecommendations. placements. list
automlrecommendations. recommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
serviceusage.services.get
serviceusage.services.list
Recommendations AI Editor
Beta
(roles/ automlrecommendations.editor
)
Editor of all Recommendations AI resources.
automlrecommendations. apiKeys. create
automlrecommendations. apiKeys. list
automlrecommendations. catalogItems.*
automlrecommendations. catalogs. getStats
automlrecommendations. catalogs. list
automlrecommendations. eventStores.*
automlrecommendations. events. create
automlrecommendations. events. get
automlrecommendations. events. list
automlrecommendations. placements. create
automlrecommendations. placements. getStats
automlrecommendations. placements. list
automlrecommendations. recommendations. create
automlrecommendations. recommendations. list
automlrecommendations. recommendations. pause
automlrecommendations. recommendations. resume
automlrecommendations. recommendations. update
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.get
retail.userEvents.create
retail.userEvents.import
serviceusage.services.get
serviceusage.services.list
Recommendations AI Viewer
Beta
(roles/ automlrecommendations.viewer
)
Viewer of all Recommendations resources except apiKeys
. To view all resources,
including apiKeys
, grant the Recommendations AI Admin Viewer role
(roles/automlrecommendations.adminViewer
).
automlrecommendations. catalogItems. get
automlrecommendations. catalogItems. list
automlrecommendations. catalogs. getStats
automlrecommendations. catalogs. list
automlrecommendations. eventStores.*
automlrecommendations. events. get
automlrecommendations. events. list
automlrecommendations. placements. getStats
automlrecommendations. placements. list
automlrecommendations. recommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
serviceusage.services.get
serviceusage.services.list
Recommender roles
Permissions
AlloyDB Recommender Admin
Beta
(roles/ recommender.alloydbAdmin
)
Admin of AlloyDB insights and recommendations.
recommender. alloydbClusterPerformanceInsights.*
recommender. alloydbClusterPerformanceRecommendations.*
recommender. alloydbClusterReliabilityInsights.*
recommender. alloydbClusterReliabilityRecommendations.*
recommender. alloydbInstanceSecurityInsights.*
recommender. alloydbInstanceSecurityRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
AlloyDB Recommender Viewer
Beta
(roles/ recommender.alloydbViewer
)
Viewer of AlloyDB insights and recommendations.
recommender. alloydbClusterPerformanceInsights. get
recommender. alloydbClusterPerformanceInsights. list
recommender. alloydbClusterPerformanceRecommendations. get
recommender. alloydbClusterPerformanceRecommendations. list
recommender. alloydbClusterReliabilityInsights. get
recommender. alloydbClusterReliabilityInsights. list
recommender. alloydbClusterReliabilityRecommendations. get
recommender. alloydbClusterReliabilityRecommendations. list
recommender. alloydbInstanceSecurityInsights. get
recommender. alloydbInstanceSecurityInsights. list
recommender. alloydbInstanceSecurityRecommendations. get
recommender. alloydbInstanceSecurityRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Slot Recommender Admin
Beta
(roles/ recommender.bigQueryCapacityCommitmentsAdmin
)
Admin of BigQuery Capacity Commitments insights and recommendations.
recommender. bigqueryCapacityCommitmentsInsights.*
recommender. bigqueryCapacityCommitmentsRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Recommender Billing Account Admin
Beta
(roles/ recommender.bigQueryCapacityCommitmentsBillingAccountAdmin
)
Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.
billing.accounts.get
billing.accounts.list
recommender. bigqueryCapacityCommitmentsInsights.*
recommender. bigqueryCapacityCommitmentsRecommendations.*
BigQuery Recommender Billing Account Viewer
Beta
(roles/ recommender.bigQueryCapacityCommitmentsBillingAccountViewer
)
Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.
billing.accounts.get
billing.accounts.list
recommender. bigqueryCapacityCommitmentsInsights. get
recommender. bigqueryCapacityCommitmentsInsights. list
recommender. bigqueryCapacityCommitmentsRecommendations. get
recommender. bigqueryCapacityCommitmentsRecommendations. list
BigQuery Recommender Project Admin
Beta
(roles/ recommender.bigQueryCapacityCommitmentsProjectAdmin
)
Project Admin of BigQuery Capacity Commitments insights and recommendations.
recommender. bigqueryCapacityCommitmentsInsights.*
recommender. bigqueryCapacityCommitmentsRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Recommender Project Viewer
Beta
(roles/ recommender.bigQueryCapacityCommitmentsProjectViewer
)
Project Viewer of BigQuery Capacity Commitments insights and recommendations.
recommender. bigqueryCapacityCommitmentsInsights. get
recommender. bigqueryCapacityCommitmentsInsights. list
recommender. bigqueryCapacityCommitmentsRecommendations. get
recommender. bigqueryCapacityCommitmentsRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Slot Recommender Viewer
Beta
(roles/ recommender.bigQueryCapacityCommitmentsViewer
)
Viewer of BigQuery Capacity Commitments insights and recommendations.
recommender. bigqueryCapacityCommitmentsInsights. get
recommender. bigqueryCapacityCommitmentsInsights. list
recommender. bigqueryCapacityCommitmentsRecommendations. get
recommender. bigqueryCapacityCommitmentsRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Materialized View Recommender Admin
(roles/ recommender.bigqueryMaterializedViewAdmin
)
Admin of BigQuery Materialized View Insights and Recommendations.
recommender. bigqueryMaterializedViewInsights.*
recommender. bigqueryMaterializedViewRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Materialized View Recommender Viewer
(roles/ recommender.bigqueryMaterializedViewViewer
)
Viewer of BigQuery Materialized View Insights and Recommendations.
recommender. bigqueryMaterializedViewInsights. get
recommender. bigqueryMaterializedViewInsights. list
recommender. bigqueryMaterializedViewRecommendations. get
recommender. bigqueryMaterializedViewRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Partitioning Clustering Recommender Admin
Beta
(roles/ recommender.bigqueryPartitionClusterAdmin
)
Admin of BigQuery Partitioning Clustering recommendations.
recommender. bigqueryPartitionClusterRecommendations.*
recommender. bigqueryTableStatsInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Partitioning Clustering Recommender Viewer
Beta
(roles/ recommender.bigqueryPartitionClusterViewer
)
Viewer of BigQuery Partitioning Clustering recommendations.
recommender. bigqueryPartitionClusterRecommendations. get
recommender. bigqueryPartitionClusterRecommendations. list
recommender. bigqueryTableStatsInsights. get
recommender. bigqueryTableStatsInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Billing Account Usage Commitment Recommender Admin
Beta
(roles/ recommender.billingAccountCudAdmin
)
Admin of Billing Account Usage Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender. commitmentUtilizationInsights.*
recommender. usageCommitmentRecommendations.*
Billing Account Usage Commitment Recommender Viewer
Beta
(roles/ recommender.billingAccountCudViewer
)
Viewer of Billing Account Usage Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender. commitmentUtilizationInsights. get
recommender. commitmentUtilizationInsights. list
recommender. usageCommitmentRecommendations. get
recommender. usageCommitmentRecommendations. list
Cloud Asset Insights Admin
(roles/ recommender.cloudAssetInsightsAdmin
)
Admin of all Cloud Asset insights.
recommender. cloudAssetInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset Insights Viewer
(roles/ recommender.cloudAssetInsightsViewer
)
Viewer of all Cloud Asset insights.
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Cost General Recommendations Recommender Admin
Beta
(roles/ recommender.cloudCostRecommendationAdmin
)
Admin of Cloud Cost General Recommendations Insights and Recommendations.
recommender. cloudCostGeneralInsights.*
recommender. cloudCostGeneralRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Cost General Recommendations Recommender Viewer
Beta
(roles/ recommender.cloudCostRecommendationViewer
)
Viewer of Cloud Cost General Recommendations Insights and Recommendations.
recommender. cloudCostGeneralInsights. get
recommender. cloudCostGeneralInsights. list
recommender. cloudCostGeneralRecommendations. get
recommender. cloudCostGeneralRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deprecation General Recommender Admin
Beta
(roles/ recommender.cloudDeprecationRecommendationAdmin
)
Admin of Cloud Deprecation General Recommender Insights and Recommendations.
recommender. cloudDeprecationGeneralInsights.*
recommender. cloudDeprecationGeneralRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deprecation General Recommender Viewer
Beta
(roles/ recommender.cloudDeprecationRecommendationViewer
)
Viewer of Cloud Deprecation General Recommender Insights and Recommendations.
recommender. cloudDeprecationGeneralInsights. get
recommender. cloudDeprecationGeneralInsights. list
recommender. cloudDeprecationGeneralRecommendations. get
recommender. cloudDeprecationGeneralRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Manageability General Recommendations Recommender Admin
Beta
(roles/ recommender.cloudManageabilityRecommendationAdmin
)
Admin of Cloud Manageability General Recommendations Insights and Recommendations.
recommender. cloudManageabilityGeneralInsights.*
recommender. cloudManageabilityGeneralRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Manageability General Recommendations Recommender Viewer
Beta
(roles/ recommender.cloudManageabilityRecommendationViewer
)
Viewer of Cloud Manageability General Recommendations Insights and Recommendations.
recommender. cloudManageabilityGeneralInsights. get
recommender. cloudManageabilityGeneralInsights. list
recommender. cloudManageabilityGeneralRecommendations. get
recommender. cloudManageabilityGeneralRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ recommender.cloudPerformanceRecommendationAdmin
)
Admin of Cloud Performance General Recommendations Insights and Recommendations.
recommender. cloudPerformanceGeneralInsights.*
recommender. cloudPerformanceGeneralRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ recommender.cloudPerformanceRecommendationViewer
)
Viewer of Cloud Performance General Recommendations Insights and Recommendations.
recommender. cloudPerformanceGeneralInsights. get
recommender. cloudPerformanceGeneralInsights. list
recommender. cloudPerformanceGeneralRecommendations. get
recommender. cloudPerformanceGeneralRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Reliability General Recommendations Recommender Admin
Beta
(roles/ recommender.cloudReliabilityRecommendationAdmin
)
Admin of Cloud Reliability General Recommendations Insights and Recommendations.
recommender. cloudReliabilityGeneralInsights.*
recommender. cloudReliabilityGeneralRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Reliability General Recommendations Recommender Viewer
Beta
(roles/ recommender.cloudReliabilityRecommendationViewer
)
Viewer of Cloud Reliability General Recommendations Insights and Recommendations.
recommender. cloudReliabilityGeneralInsights. get
recommender. cloudReliabilityGeneralInsights. list
recommender. cloudReliabilityGeneralRecommendations. get
recommender. cloudReliabilityGeneralRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Security General Recommendations Recommender Admin
Beta
(roles/ recommender.cloudSecurityRecommendationAdmin
)
Admin of Cloud Security General Recommendations Insights and Recommendations.
recommender. cloudSecurityGeneralInsights.*
recommender. cloudSecurityGeneralRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Security General Recommendations Recommender Viewer
Beta
(roles/ recommender.cloudSecurityRecommendationViewer
)
Viewer of Cloud Security General Recommendations Insights and Recommendations.
recommender. cloudSecurityGeneralInsights. get
recommender. cloudSecurityGeneralInsights. list
recommender. cloudSecurityGeneralRecommendations. get
recommender. cloudSecurityGeneralRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud SQL Recommender Admin
Beta
(roles/ recommender.cloudsqlAdmin
)
Admin of Cloud SQL insights and recommendations.
recommender. cloudsqlIdleInstanceRecommendations.*
recommender. cloudsqlInstanceActivityInsights.*
recommender. cloudsqlInstanceCpuUsageInsights.*
recommender. cloudsqlInstanceDiskUsageTrendInsights.*
recommender. cloudsqlInstanceMemoryUsageInsights.*
recommender. cloudsqlInstanceOomProbabilityInsights.*
recommender. cloudsqlInstanceOutOfDiskRecommendations.*
recommender. cloudsqlInstancePerformanceInsights.*
recommender. cloudsqlInstancePerformanceRecommendations.*
recommender. cloudsqlInstanceReliabilityInsights.*
recommender. cloudsqlInstanceReliabilityRecommendations.*
recommender. cloudsqlInstanceSecurityInsights.*
recommender. cloudsqlInstanceSecurityRecommendations.*
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights.*
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*
recommender. cloudsqlOverprovisionedInstanceRecommendations.*
recommender. cloudsqlUnderProvisionedInstanceRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud SQL Recommender Viewer
Beta
(roles/ recommender.cloudsqlViewer
)
Viewer of Cloud SQL insights and recommendations.
recommender. cloudsqlIdleInstanceRecommendations. get
recommender. cloudsqlIdleInstanceRecommendations. list
recommender. cloudsqlInstanceActivityInsights. get
recommender. cloudsqlInstanceActivityInsights. list
recommender. cloudsqlInstanceCpuUsageInsights. get
recommender. cloudsqlInstanceCpuUsageInsights. list
recommender. cloudsqlInstanceDiskUsageTrendInsights. get
recommender. cloudsqlInstanceDiskUsageTrendInsights. list
recommender. cloudsqlInstanceMemoryUsageInsights. get
recommender. cloudsqlInstanceMemoryUsageInsights. list
recommender. cloudsqlInstanceOomProbabilityInsights. get
recommender. cloudsqlInstanceOomProbabilityInsights. list
recommender. cloudsqlInstanceOutOfDiskRecommendations. get
recommender. cloudsqlInstanceOutOfDiskRecommendations. list
recommender. cloudsqlInstancePerformanceInsights. get
recommender. cloudsqlInstancePerformanceInsights. list
recommender. cloudsqlInstancePerformanceRecommendations. get
recommender. cloudsqlInstancePerformanceRecommendations. list
recommender. cloudsqlInstanceReliabilityInsights. get
recommender. cloudsqlInstanceReliabilityInsights. list
recommender. cloudsqlInstanceReliabilityRecommendations. get
recommender. cloudsqlInstanceReliabilityRecommendations. list
recommender. cloudsqlInstanceSecurityInsights. get
recommender. cloudsqlInstanceSecurityInsights. list
recommender. cloudsqlInstanceSecurityRecommendations. get
recommender. cloudsqlInstanceSecurityRecommendations. list
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. get
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. list
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. get
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. list
recommender. cloudsqlOverprovisionedInstanceRecommendations. get
recommender. cloudsqlOverprovisionedInstanceRecommendations. list
recommender. cloudsqlUnderProvisionedInstanceRecommendations. get
recommender. cloudsqlUnderProvisionedInstanceRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
Compute Recommender Admin
(roles/ recommender.computeAdmin
)
Admin of compute recommendations.
recommender. computeAddressIdleResourceInsights.*
recommender. computeAddressIdleResourceRecommendations.*
recommender. computeDiskIdleResourceInsights.*
recommender. computeDiskIdleResourceRecommendations.*
recommender. computeImageIdleResourceInsights.*
recommender. computeImageIdleResourceRecommendations.*
recommender. computeInstanceCpuUsageInsights.*
recommender. computeInstanceCpuUsagePredictionInsights.*
recommender. computeInstanceCpuUsageTrendInsights.*
recommender. computeInstanceGroupManagerCpuUsageInsights.*
recommender. computeInstanceGroupManagerCpuUsagePredictionInsights.*
recommender. computeInstanceGroupManagerCpuUsageTrendInsights.*
recommender. computeInstanceGroupManagerMachineTypeRecommendations.*
recommender. computeInstanceGroupManagerMemoryUsageInsights.*
recommender. computeInstanceGroupManagerMemoryUsagePredictionInsights.*
recommender. computeInstanceIdleResourceRecommendations.*
recommender. computeInstanceIdleResourceRecommenderConfig.*
recommender. computeInstanceMachineTypeRecommendations.*
recommender. computeInstanceMemoryUsageInsights.*
recommender. computeInstanceMemoryUsagePredictionInsights.*
recommender. computeInstanceNetworkThroughputInsights.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Compute Recommender Viewer
(roles/ recommender.computeViewer
)
Viewer of compute recommendations.
recommender. computeAddressIdleResourceInsights. get
recommender. computeAddressIdleResourceInsights. list
recommender. computeAddressIdleResourceRecommendations. get
recommender. computeAddressIdleResourceRecommendations. list
recommender. computeDiskIdleResourceInsights. get
recommender. computeDiskIdleResourceInsights. list
recommender. computeDiskIdleResourceRecommendations. get
recommender. computeDiskIdleResourceRecommendations. list
recommender. computeImageIdleResourceInsights. get
recommender. computeImageIdleResourceInsights. list
recommender. computeImageIdleResourceRecommendations. get
recommender. computeImageIdleResourceRecommendations. list
recommender. computeInstanceCpuUsageInsights. get
recommender. computeInstanceCpuUsageInsights. list
recommender. computeInstanceCpuUsagePredictionInsights. get
recommender. computeInstanceCpuUsagePredictionInsights. list
recommender. computeInstanceCpuUsageTrendInsights. get
recommender. computeInstanceCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerCpuUsageInsights. get
recommender. computeInstanceGroupManagerCpuUsageInsights. list
recommender. computeInstanceGroupManagerCpuUsagePredictionInsights. get
recommender. computeInstanceGroupManagerCpuUsagePredictionInsights. list
recommender. computeInstanceGroupManagerCpuUsageTrendInsights. get
recommender. computeInstanceGroupManagerCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerMachineTypeRecommendations. get
recommender. computeInstanceGroupManagerMachineTypeRecommendations. list
recommender. computeInstanceGroupManagerMemoryUsageInsights. get
recommender. computeInstanceGroupManagerMemoryUsageInsights. list
recommender. computeInstanceGroupManagerMemoryUsagePredictionInsights. get
recommender. computeInstanceGroupManagerMemoryUsagePredictionInsights. list
recommender. computeInstanceIdleResourceRecommendations. get
recommender. computeInstanceIdleResourceRecommendations. list
recommender. computeInstanceMachineTypeRecommendations. get
recommender. computeInstanceMachineTypeRecommendations. list
recommender. computeInstanceMemoryUsageInsights. get
recommender. computeInstanceMemoryUsageInsights. list
recommender. computeInstanceMemoryUsagePredictionInsights. get
recommender. computeInstanceMemoryUsagePredictionInsights. list
recommender. computeInstanceNetworkThroughputInsights. get
recommender. computeInstanceNetworkThroughputInsights. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Diagnosis Recommender Admin
(roles/ recommender.containerDiagnosisAdmin
)
Admin of GKE Diagnosis Insights and Recommendations.
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Diagnosis Recommender Viewer
(roles/ recommender.containerDiagnosisViewer
)
Viewer of GKE Diagnosis Insights and Recommendations.
recommender. containerDiagnosisInsights. get
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisRecommendations. get
recommender. containerDiagnosisRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Diagnostics Admin
(roles/ recommender.dataflowDiagnosticsAdmin
)
Admin of Diagnostics recommendations.
recommender. dataflowDiagnosticsInsights.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Diagnostics Viewer
(roles/ recommender.dataflowDiagnosticsViewer
)
Viewer of Diagnostics recommendations.
recommender. dataflowDiagnosticsInsights. get
recommender. dataflowDiagnosticsInsights. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Recommender Admin
(roles/ recommender.errorReportingAdmin
)
Admin of Error Reporting Insights and Recommendations.
recommender. errorReportingInsights.*
recommender. errorReportingRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Recommender Viewer
(roles/ recommender.errorReportingViewer
)
Viewer of Error Reporting Insights and Recommendations.
recommender. errorReportingInsights. get
recommender. errorReportingInsights. list
recommender. errorReportingRecommendations. get
recommender. errorReportingRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firestore Database Reliability Recommender Admin
(roles/ recommender.firestoredatabasereliabilityAdmin
)
Admin of Firestore Database Reliability Insights and Recommendations.
recommender. firestoreDatabaseReliabilityInsights.*
recommender. firestoreDatabaseReliabilityRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firestore Database Reliability Recommender Viewer
(roles/ recommender.firestoredatabasereliabilityViewer
)
Viewer of Firestore Database Reliability Insights and Recommendations.
recommender. firestoreDatabaseReliabilityInsights. get
recommender. firestoreDatabaseReliabilityInsights. list
recommender. firestoreDatabaseReliabilityRecommendations. get
recommender. firestoreDatabaseReliabilityRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firewall Recommender Admin
(roles/ recommender.firewallAdmin
)
Admin of Firewall insights and recommendations.
monitoring.timeSeries.list
recommender. computeFirewallInsightTypeConfigs.*
recommender. computeFirewallInsights.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firewall Recommender Viewer
(roles/ recommender.firewallViewer
)
Viewer of Firewall insights and recommendations.
monitoring.timeSeries.list
recommender. computeFirewallInsightTypeConfigs. get
recommender. computeFirewallInsights. get
recommender. computeFirewallInsights. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Admin
(roles/ recommender.gmpAdmin
)
Admin of all Google Maps Platform insights and recommendations.
recommender. gmpGuidedExperienceInsights.*
recommender. gmpGuidedExperienceRecommendations.*
recommender. gmpProjectManagementInsights.*
recommender. gmpProjectManagementRecommendations.*
recommender. gmpProjectProductSuggestionsInsights.*
recommender. gmpProjectProductSuggestionsRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Viewer
(roles/ recommender.gmpViewer
)
Viewer of all Google Maps Platform insights and recommendations.
recommender. gmpGuidedExperienceInsights. get
recommender. gmpGuidedExperienceInsights. list
recommender. gmpGuidedExperienceRecommendations. get
recommender. gmpGuidedExperienceRecommendations. list
recommender. gmpProjectManagementInsights. get
recommender. gmpProjectManagementInsights. list
recommender. gmpProjectManagementRecommendations. get
recommender. gmpProjectManagementRecommendations. list
recommender. gmpProjectProductSuggestionsInsights. get
recommender. gmpProjectProductSuggestionsInsights. list
recommender. gmpProjectProductSuggestionsRecommendations. get
recommender. gmpProjectProductSuggestionsRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
IAM Recommender Admin
(roles/ recommender.iamAdmin
)
Admin of IAM recommendations.
recommender. iamPolicyInsights.*
recommender. iamPolicyLateralMovementInsights.*
recommender. iamPolicyRecommendations.*
recommender. iamPolicyRecommenderConfig.*
recommender. iamServiceAccountInsights.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Recommender Viewer
(roles/ recommender.iamViewer
)
Viewer of IAM recommendations.
recommender. iamPolicyInsights. get
recommender. iamPolicyInsights. list
recommender. iamPolicyLateralMovementInsights. get
recommender. iamPolicyLateralMovementInsights. list
recommender. iamPolicyRecommendations. get
recommender. iamPolicyRecommendations. list
recommender. iamPolicyRecommenderConfig. get
recommender. iamServiceAccountInsights. get
recommender. iamServiceAccountInsights. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Policy Change Risk Recommender Admin
Beta
(roles/ recommender.iampolicychangeriskAdmin
)
Admin of IAM Policy Change Risk Insights and Recommendations.
recommender. iamPolicyChangeRiskInsights.*
recommender. iamPolicyChangeRiskRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Policy Change Risk Recommender Viewer
Beta
(roles/ recommender.iampolicychangeriskViewer
)
Viewer of IAM Policy Change Risk Insights and Recommendations.
recommender. iamPolicyChangeRiskInsights. get
recommender. iamPolicyChangeRiskInsights. list
recommender. iamPolicyChangeRiskRecommendations. get
recommender. iamPolicyChangeRiskRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Recommender Admin
(roles/ recommender.networkAnalyzerAdmin
)
Admin of Network Analyzer Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerCloudSqlInsights.*
recommender. networkAnalyzerDynamicRouteInsights.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
recommender. networkAnalyzerGkeServiceAccountInsights.*
recommender. networkAnalyzerIpAddressInsights.*
recommender. networkAnalyzerLoadBalancerInsights.*
recommender. networkAnalyzerVpcConnectivityInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Admin
(roles/ recommender.networkAnalyzerCloudSqlAdmin
)
Admin of Network Analyzer Cloud SQL Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerCloudSqlInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Viewer
(roles/ recommender.networkAnalyzerCloudSqlViewer
)
Viewer of Network Analyzer Cloud SQL Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerCloudSqlInsights. get
recommender. networkAnalyzerCloudSqlInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Admin
(roles/ recommender.networkAnalyzerDynamicRouteAdmin
)
Admin of Network Analyzer Dynamic Route Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerDynamicRouteInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Viewer
(roles/ recommender.networkAnalyzerDynamicRouteViewer
)
Viewer of Network Analyzer Dynamic Route Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerDynamicRouteInsights. get
recommender. networkAnalyzerDynamicRouteInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Admin
(roles/ recommender.networkAnalyzerGkeConnectivityAdmin
)
Admin of Network Analyzer GKE Connectivity Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Viewer
(roles/ recommender.networkAnalyzerGkeConnectivityViewer
)
Viewer of Network Analyzer GKE Connectivity Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Admin
(roles/ recommender.networkAnalyzerGkeIpAddressAdmin
)
Admin of Network Analyzer GKE IP Address Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Viewer
(roles/ recommender.networkAnalyzerGkeIpAddressViewer
)
Viewer of Network Analyzer GKE IP Address Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Service Account Insights Recommender Admin
(roles/ recommender.networkAnalyzerGkeServiceAccountAdmin
)
Admin of Network Analyzer GKE Service Account Insights Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerGkeServiceAccountInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Service Account Insights Recommender Viewer
(roles/ recommender.networkAnalyzerGkeServiceAccountViewer
)
Viewer of Network Analyzer GKE Service Account Insights Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerGkeServiceAccountInsights. get
recommender. networkAnalyzerGkeServiceAccountInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer IP Address Recommender Admin
(roles/ recommender.networkAnalyzerIpAddressAdmin
)
Admin of Network Analyzer IP Address Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer IP Address Recommender Viewer
(roles/ recommender.networkAnalyzerIpAddressViewer
)
Viewer of Network Analyzer IP Address Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerIpAddressInsights. get
recommender. networkAnalyzerIpAddressInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Admin
(roles/ recommender.networkAnalyzerLoadBalancerAdmin
)
Admin of Network Analyzer Load Balancer Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerLoadBalancerInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Viewer
(roles/ recommender.networkAnalyzerLoadBalancerViewer
)
Viewer of Network Analyzer Load Balancer Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerLoadBalancerInsights. get
recommender. networkAnalyzerLoadBalancerInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Recommender Viewer
(roles/ recommender.networkAnalyzerViewer
)
Viewer of Network Analyzer Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerCloudSqlInsights. get
recommender. networkAnalyzerCloudSqlInsights. list
recommender. networkAnalyzerDynamicRouteInsights. get
recommender. networkAnalyzerDynamicRouteInsights. list
recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
recommender. networkAnalyzerGkeServiceAccountInsights. get
recommender. networkAnalyzerGkeServiceAccountInsights. list
recommender. networkAnalyzerIpAddressInsights. get
recommender. networkAnalyzerIpAddressInsights. list
recommender. networkAnalyzerLoadBalancerInsights. get
recommender. networkAnalyzerLoadBalancerInsights. list
recommender. networkAnalyzerVpcConnectivityInsights. get
recommender. networkAnalyzerVpcConnectivityInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Admin
(roles/ recommender.networkAnalyzerVpcConnectivityAdmin
)
Admin of Network Analyzer VPC Connectivity Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerVpcConnectivityInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Viewer
(roles/ recommender.networkAnalyzerVpcConnectivityViewer
)
Viewer of Network Analyzer VPC Connectivity Insights and Recommendations.
recommender.locations.*
recommender. networkAnalyzerVpcConnectivityInsights. get
recommender. networkAnalyzerVpcConnectivityInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Org Policy Recommender Admin
Beta
(roles/ recommender.orgPolicyAdmin
)
Admin of Org Policy Insights and Recommendations.
recommender.locations.*
recommender. orgPolicyInsights.*
recommender. orgPolicyRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Org Policy Recommender Viewer
Beta
(roles/ recommender.orgPolicyViewer
)
Viewer of Org Policy Insights and Recommendations.
recommender.locations.*
recommender. orgPolicyInsights. get
recommender. orgPolicyInsights. list
recommender. orgPolicyRecommendations. get
recommender. orgPolicyRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
Product Suggestion Recommenders Admin
Beta
(roles/ recommender.productSuggestionAdmin
)
Admin of all Product Suggestion insights and recommendations.
recommender.locations.*
recommender. loggingProductSuggestionContainerInsights.*
recommender. loggingProductSuggestionContainerRecommendations.*
recommender. monitoringProductSuggestionComputeInsights.*
recommender. monitoringProductSuggestionComputeRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Product Suggestion Recommenders Viewer
Beta
(roles/ recommender.productSuggestionViewer
)
Viewer of all Product Suggestion insights and recommendations.
recommender.locations.*
recommender. loggingProductSuggestionContainerInsights. get
recommender. loggingProductSuggestionContainerInsights. list
recommender. loggingProductSuggestionContainerRecommendations. get
recommender. loggingProductSuggestionContainerRecommendations. list
recommender. monitoringProductSuggestionComputeInsights. get
recommender. monitoringProductSuggestionComputeInsights. list
recommender. monitoringProductSuggestionComputeRecommendations. get
recommender. monitoringProductSuggestionComputeRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
Project Usage Commitment Recommender Admin
Beta
(roles/ recommender.projectCudAdmin
)
Admin of Project Usage Commitment Recommender.
recommender. commitmentUtilizationInsights.*
recommender.locations.*
recommender. spendBasedCommitmentRecommenderConfig. get
recommender. usageCommitmentRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Project Usage Commitment Recommender Viewer
Beta
(roles/ recommender.projectCudViewer
)
Viewer of Project Usage Commitment Recommender.
recommender. commitmentUtilizationInsights. get
recommender. commitmentUtilizationInsights. list
recommender.locations.*
recommender. spendBasedCommitmentRecommenderConfig. get
recommender. usageCommitmentRecommendations. get
recommender. usageCommitmentRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
Project Utilization Recommender Admin
(roles/ recommender.projectUtilAdmin
)
Admin of Project Utilization insights and recommendations.
recommender. resourcemanagerProjectUtilizationInsightTypeConfigs.*
recommender. resourcemanagerProjectUtilizationInsights.*
recommender. resourcemanagerProjectUtilizationRecommendations.*
recommender. resourcemanagerProjectUtilizationRecommenderConfigs.*
resourcemanager.projects.get
resourcemanager.projects.list
Project Utilization Recommender Viewer
(roles/ recommender.projectUtilViewer
)
Viewer of Project Utilization insights and recommendations.
recommender. resourcemanagerProjectUtilizationInsightTypeConfigs. get
recommender. resourcemanagerProjectUtilizationInsights. get
recommender. resourcemanagerProjectUtilizationInsights. list
recommender. resourcemanagerProjectUtilizationRecommendations. get
recommender. resourcemanagerProjectUtilizationRecommendations. list
recommender. resourcemanagerProjectUtilizationRecommenderConfigs. get
resourcemanager.projects.get
resourcemanager.projects.list
RecentChange RecommenderConfig Admin
(roles/ recommender.recentChangeConfigAdmin
)
Admin of RecentChange RecommenderConfigs.
recommender. cloudRecentChangeRecommenderConfig.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Recent Change Risk Recommender Admin
(roles/ recommender.recentchangeriskAdmin
)
Admin of Recent Change Risk Insights and Recommendations.
recommender. cloudRecentChangeInsights.*
recommender. cloudRecentChangeRecommendations.*
recommender. cloudRecentChangeRecommenderConfig.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Recent Change Risk Recommender Viewer
(roles/ recommender.recentchangeriskViewer
)
Viewer of Recent Change Risk Insights and Recommendations.
recommender. cloudRecentChangeInsights. get
recommender. cloudRecentChangeInsights. list
recommender. cloudRecentChangeRecommendations. get
recommender. cloudRecentChangeRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Limit Recommender Admin
Beta
(roles/ recommender.serviceLimitAdmin
)
Admin of Service Limit insights and recommendations.
recommender. resourcemanagerServiceLimitInsights.*
recommender. resourcemanagerServiceLimitRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Limit Recommender Viewer
Beta
(roles/ recommender.serviceLimitViewer
)
Viewer of Service Limit insights and recommendations.
recommender. resourcemanagerServiceLimitInsights. get
recommender. resourcemanagerServiceLimitInsights. list
recommender. resourcemanagerServiceLimitRecommendations. get
recommender. resourcemanagerServiceLimitRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Change Risk Recommender Admin
Beta
(roles/ recommender.serviceaccntchangeriskAdmin
)
Admin of Service Account Change Risk Insights and Recommendations.
recommender. iamServiceAccountChangeRiskInsights.*
recommender. iamServiceAccountChangeRiskRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Change Risk Recommender Viewer
Beta
(roles/ recommender.serviceaccntchangeriskViewer
)
Viewer of Service Account Change Risk Insights and Recommendations.
recommender. iamServiceAccountChangeRiskInsights. get
recommender. iamServiceAccountChangeRiskInsights. list
recommender. iamServiceAccountChangeRiskRecommendations. get
recommender. iamServiceAccountChangeRiskRecommendations. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Spanner Project Reliability Recommender Admin
Beta
(roles/ recommender.spannerAdmin
)
Admin of Spanner Project Reliability Insights and Recommendations.
recommender.locations.*
recommender. spannerProjectReliabilityInsights.*
recommender. spannerProjectReliabilityRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
Spanner Project Reliability Recommender Viewer
Beta
(roles/ recommender.spannerViewer
)
Viewer of Spanner Project Reliability Insights and Recommendations.
recommender.locations.*
recommender. spannerProjectReliabilityInsights. get
recommender. spannerProjectReliabilityInsights. list
recommender. spannerProjectReliabilityRecommendations. get
recommender. spannerProjectReliabilityRecommendations. list
resourcemanager.projects.get
resourcemanager.projects.list
Spend Based Commitment Recommender Admin
Beta
(roles/ recommender.ucsAdmin
)
Admin of Spend Based Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.locations.*
recommender. spendBasedCommitmentInsights.*
recommender. spendBasedCommitmentRecommendations.*
recommender. spendBasedCommitmentRecommenderConfig.*
Spend Based Commitment Recommender Viewer
Beta
(roles/ recommender.ucsViewer
)
Viewer of Spend Based Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.locations.*
recommender. spendBasedCommitmentInsights. get
recommender. spendBasedCommitmentInsights. list
recommender. spendBasedCommitmentRecommendations. get
recommender. spendBasedCommitmentRecommendations. list
recommender. spendBasedCommitmentRecommenderConfig. get
Recommender Viewer
(roles/ recommender.viewer
)
Enables Get and List operations.
recommender. alloydbClusterPerformanceInsights. get
recommender. alloydbClusterPerformanceInsights. list
recommender. alloydbClusterPerformanceRecommendations. get
recommender. alloydbClusterPerformanceRecommendations. list
recommender. alloydbClusterReliabilityInsights. get
recommender. alloydbClusterReliabilityInsights. list
recommender. alloydbClusterReliabilityRecommendations. get
recommender. alloydbClusterReliabilityRecommendations. list
recommender. alloydbInstanceSecurityInsights. get
recommender. alloydbInstanceSecurityInsights. list
recommender. alloydbInstanceSecurityRecommendations. get
recommender. alloydbInstanceSecurityRecommendations. list
recommender. bigqueryCapacityCommitmentsInsights. get
recommender. bigqueryCapacityCommitmentsInsights. list
recommender. bigqueryCapacityCommitmentsRecommendations. get
recommender. bigqueryCapacityCommitmentsRecommendations. list
recommender. bigqueryMaterializedViewInsights. get
recommender. bigqueryMaterializedViewInsights. list
recommender. bigqueryMaterializedViewRecommendations. get
recommender. bigqueryMaterializedViewRecommendations. list
recommender. bigqueryPartitionClusterRecommendations. get
recommender. bigqueryPartitionClusterRecommendations. list
recommender. bigqueryTableStatsInsights. get
recommender. bigqueryTableStatsInsights. list
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender. cloudCostGeneralInsights. get
recommender. cloudCostGeneralInsights. list
recommender. cloudCostGeneralRecommendations. get
recommender. cloudCostGeneralRecommendations. list
recommender. cloudDeprecationGeneralInsights. get
recommender. cloudDeprecationGeneralInsights. list
recommender. cloudDeprecationGeneralRecommendations. get
recommender. cloudDeprecationGeneralRecommendations. list
recommender. cloudFunctionsPerformanceInsights. get
recommender. cloudFunctionsPerformanceInsights. list
recommender. cloudFunctionsPerformanceRecommendations. get
recommender. cloudFunctionsPerformanceRecommendations. list
recommender. cloudManageabilityGeneralInsights. get
recommender. cloudManageabilityGeneralInsights. list
recommender. cloudManageabilityGeneralRecommendations. get
recommender. cloudManageabilityGeneralRecommendations. list
recommender. cloudPerformanceGeneralInsights. get
recommender. cloudPerformanceGeneralInsights. list
recommender. cloudPerformanceGeneralRecommendations. get
recommender. cloudPerformanceGeneralRecommendations. list
recommender. cloudRecentChangeInsights. get
recommender. cloudRecentChangeInsights. list
recommender. cloudRecentChangeRecommendations. get
recommender. cloudRecentChangeRecommendations. list
recommender. cloudRecentChangeRecommenderConfig. get
recommender. cloudReliabilityGeneralInsights. get
recommender. cloudReliabilityGeneralInsights. list
recommender. cloudReliabilityGeneralRecommendations. get
recommender. cloudReliabilityGeneralRecommendations. list
recommender. cloudSecurityGeneralInsights. get
recommender. cloudSecurityGeneralInsights. list
recommender. cloudSecurityGeneralRecommendations. get
recommender. cloudSecurityGeneralRecommendations. list
recommender. cloudsqlIdleInstanceRecommendations. get
recommender. cloudsqlIdleInstanceRecommendations. list
recommender. cloudsqlInstanceActivityInsights. get
recommender. cloudsqlInstanceActivityInsights. list
recommender. cloudsqlInstanceCpuUsageInsights. get
recommender. cloudsqlInstanceCpuUsageInsights. list
recommender. cloudsqlInstanceDiskUsageTrendInsights. get
recommender. cloudsqlInstanceDiskUsageTrendInsights. list
recommender. cloudsqlInstanceMemoryUsageInsights. get
recommender. cloudsqlInstanceMemoryUsageInsights. list
recommender. cloudsqlInstanceOomProbabilityInsights. get
recommender. cloudsqlInstanceOomProbabilityInsights. list
recommender. cloudsqlInstanceOutOfDiskRecommendations. get
recommender. cloudsqlInstanceOutOfDiskRecommendations. list
recommender. cloudsqlInstancePerformanceInsights. get
recommender. cloudsqlInstancePerformanceInsights. list
recommender. cloudsqlInstancePerformanceRecommendations. get
recommender. cloudsqlInstancePerformanceRecommendations. list
recommender. cloudsqlInstanceReliabilityInsights. get
recommender. cloudsqlInstanceReliabilityInsights. list
recommender. cloudsqlInstanceReliabilityRecommendations. get
recommender. cloudsqlInstanceReliabilityRecommendations. list
recommender. cloudsqlInstanceSecurityInsights. get
recommender. cloudsqlInstanceSecurityInsights. list
recommender. cloudsqlInstanceSecurityRecommendations. get
recommender. cloudsqlInstanceSecurityRecommendations. list
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. get
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights. list
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. get
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights. list
recommender. cloudsqlOverprovisionedInstanceRecommendations. get
recommender. cloudsqlOverprovisionedInstanceRecommendations. list
recommender. cloudsqlUnderProvisionedInstanceRecommendations. get
recommender. cloudsqlUnderProvisionedInstanceRecommendations. list
recommender. commitmentUtilizationInsights. get
recommender. commitmentUtilizationInsights. list
recommender. computeAddressIdleResourceInsights. get
recommender. computeAddressIdleResourceInsights. list
recommender. computeAddressIdleResourceRecommendations. get
recommender. computeAddressIdleResourceRecommendations. list
recommender. computeDiskIdleResourceInsights. get
recommender. computeDiskIdleResourceInsights. list
recommender. computeDiskIdleResourceRecommendations. get
recommender. computeDiskIdleResourceRecommendations. list
recommender. computeFirewallInsightTypeConfigs. get
recommender. computeFirewallInsights. get
recommender. computeFirewallInsights. list
recommender. computeImageIdleResourceInsights. get
recommender. computeImageIdleResourceInsights. list
recommender. computeImageIdleResourceRecommendations. get
recommender. computeImageIdleResourceRecommendations. list
recommender. computeInstanceCpuUsageInsights. get
recommender. computeInstanceCpuUsageInsights. list
recommender. computeInstanceCpuUsagePredictionInsights. get
recommender. computeInstanceCpuUsagePredictionInsights. list
recommender. computeInstanceCpuUsageTrendInsights. get
recommender. computeInstanceCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerCpuUsageInsights. get
recommender. computeInstanceGroupManagerCpuUsageInsights. list
recommender. computeInstanceGroupManagerCpuUsagePredictionInsights. get
recommender. computeInstanceGroupManagerCpuUsagePredictionInsights. list
recommender. computeInstanceGroupManagerCpuUsageTrendInsights. get
recommender. computeInstanceGroupManagerCpuUsageTrendInsights. list
recommender. computeInstanceGroupManagerMachineTypeRecommendations. get
recommender. computeInstanceGroupManagerMachineTypeRecommendations. list
recommender. computeInstanceGroupManagerMemoryUsageInsights. get
recommender. computeInstanceGroupManagerMemoryUsageInsights. list
recommender. computeInstanceGroupManagerMemoryUsagePredictionInsights. get
recommender. computeInstanceGroupManagerMemoryUsagePredictionInsights. list
recommender. computeInstanceIdleResourceRecommendations. get
recommender. computeInstanceIdleResourceRecommendations. list
recommender. computeInstanceIdleResourceRecommenderConfig. get
recommender. computeInstanceMachineTypeRecommendations. get
recommender. computeInstanceMachineTypeRecommendations. list
recommender. computeInstanceMemoryUsageInsights. get
recommender. computeInstanceMemoryUsageInsights. list
recommender. computeInstanceMemoryUsagePredictionInsights. get
recommender. computeInstanceMemoryUsagePredictionInsights. list
recommender. computeInstanceNetworkThroughputInsights. get
recommender. computeInstanceNetworkThroughputInsights. list
recommender. containerDiagnosisInsights. get
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisRecommendations. get
recommender. containerDiagnosisRecommendations. list
recommender.costInsights.get
recommender.costInsights.list
recommender. dataflowDiagnosticsInsights. get
recommender. dataflowDiagnosticsInsights. list
recommender. errorReportingInsights. get
recommender. errorReportingInsights. list
recommender. errorReportingRecommendations. get
recommender. errorReportingRecommendations. list
recommender. firestoreDatabaseReliabilityInsights. get
recommender. firestoreDatabaseReliabilityInsights. list
recommender. firestoreDatabaseReliabilityRecommendations. get
recommender. firestoreDatabaseReliabilityRecommendations. list
recommender. gmpGuidedExperienceInsights. get
recommender. gmpGuidedExperienceInsights. list
recommender. gmpGuidedExperienceRecommendations. get
recommender. gmpGuidedExperienceRecommendations. list
recommender. gmpProjectManagementInsights. get
recommender. gmpProjectManagementInsights. list
recommender. gmpProjectManagementRecommendations. get
recommender. gmpProjectManagementRecommendations. list
recommender. gmpProjectProductSuggestionsInsights. get
recommender. gmpProjectProductSuggestionsInsights. list
recommender. gmpProjectProductSuggestionsRecommendations. get
recommender. gmpProjectProductSuggestionsRecommendations. list
recommender. iamPolicyChangeRiskInsights. get
recommender. iamPolicyChangeRiskInsights. list
recommender. iamPolicyChangeRiskRecommendations. get
recommender. iamPolicyChangeRiskRecommendations. list
recommender. iamPolicyInsights. get
recommender. iamPolicyInsights. list
recommender. iamPolicyLateralMovementInsights. get
recommender. iamPolicyLateralMovementInsights. list
recommender. iamPolicyRecommendations. get
recommender. iamPolicyRecommendations. list
recommender. iamPolicyRecommenderConfig. get
recommender. iamServiceAccountChangeRiskInsights. get
recommender. iamServiceAccountChangeRiskInsights. list
recommender. iamServiceAccountChangeRiskRecommendations. get
recommender. iamServiceAccountChangeRiskRecommendations. list
recommender. iamServiceAccountInsights. get
recommender. iamServiceAccountInsights. list
recommender.locations.*
recommender. loggingProductSuggestionContainerInsights. get
recommender. loggingProductSuggestionContainerInsights. list
recommender. loggingProductSuggestionContainerRecommendations. get
recommender. loggingProductSuggestionContainerRecommendations. list
recommender. monitoringProductSuggestionComputeInsights. get
recommender. monitoringProductSuggestionComputeInsights. list
recommender. monitoringProductSuggestionComputeRecommendations. get
recommender. monitoringProductSuggestionComputeRecommendations. list
recommender. networkAnalyzerCloudSqlInsights. get
recommender. networkAnalyzerCloudSqlInsights. list
recommender. networkAnalyzerDynamicRouteInsights. get
recommender. networkAnalyzerDynamicRouteInsights. list
recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
recommender. networkAnalyzerGkeServiceAccountInsights. get
recommender. networkAnalyzerGkeServiceAccountInsights. list
recommender. networkAnalyzerIpAddressInsights. get
recommender. networkAnalyzerIpAddressInsights. list
recommender. networkAnalyzerLoadBalancerInsights. get
recommender. networkAnalyzerLoadBalancerInsights. list
recommender. networkAnalyzerVpcConnectivityInsights. get
recommender. networkAnalyzerVpcConnectivityInsights. list
recommender. orgPolicyInsights. get
recommender. orgPolicyInsights. list
recommender. orgPolicyRecommendations. get
recommender. orgPolicyRecommendations. list
recommender. resourcemanagerProjectChangeRiskInsights. get
recommender. resourcemanagerProjectChangeRiskInsights. list
recommender. resourcemanagerProjectChangeRiskRecommendations. get
recommender. resourcemanagerProjectChangeRiskRecommendations. list
recommender. resourcemanagerProjectUtilizationInsightTypeConfigs. get
recommender. resourcemanagerProjectUtilizationInsights. get
recommender. resourcemanagerProjectUtilizationInsights. list
recommender. resourcemanagerProjectUtilizationRecommendations. get
recommender. resourcemanagerProjectUtilizationRecommendations. list
recommender. resourcemanagerProjectUtilizationRecommenderConfigs. get
recommender. resourcemanagerServiceLimitInsights. get
recommender. resourcemanagerServiceLimitInsights. list
recommender. resourcemanagerServiceLimitRecommendations. get
recommender. resourcemanagerServiceLimitRecommendations. list
recommender. runServiceCostInsights. get
recommender. runServiceCostInsights. list
recommender. runServiceCostRecommendations. get
recommender. runServiceCostRecommendations. list
recommender. runServiceIdentityInsights. get
recommender. runServiceIdentityInsights. list
recommender. runServiceIdentityRecommendations. get
recommender. runServiceIdentityRecommendations. list
recommender. runServicePerformanceInsights. get
recommender. runServicePerformanceInsights. list
recommender. runServicePerformanceRecommendations. get
recommender. runServicePerformanceRecommendations. list
recommender. runServiceSecurityInsights. get
recommender. runServiceSecurityInsights. list
recommender. runServiceSecurityRecommendations. get
recommender. runServiceSecurityRecommendations. list
recommender. spannerProjectReliabilityInsights. get
recommender. spannerProjectReliabilityInsights. list
recommender. spannerProjectReliabilityRecommendations. get
recommender. spannerProjectReliabilityRecommendations. list
recommender. spendBasedCommitmentInsights. get
recommender. spendBasedCommitmentInsights. list
recommender. spendBasedCommitmentRecommendations. get
recommender. spendBasedCommitmentRecommendations. list
recommender. spendBasedCommitmentRecommenderConfig. get
recommender. storageBucketSoftDeleteInsights. get
recommender. storageBucketSoftDeleteInsights. list
recommender. storageBucketSoftDeleteRecommendations. get
recommender. storageBucketSoftDeleteRecommendations. list
recommender. usageCommitmentRecommendations. get
recommender. usageCommitmentRecommendations. list
resourcemanager.projects.get
Resource Manager roles
Permissions
Folder Admin
(roles/ resourcemanager.folderAdmin
)
Provides all available permissions for working with folders.
Lowest-level resources where you can grant this role:
essentialcontacts.*
iam.policybindings.*
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager. hierarchyNodes.*
resourcemanager. projects. createPolicyBinding
resourcemanager. projects. deletePolicyBinding
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager. projects. searchPolicyBindings
resourcemanager. projects. setIamPolicy
resourcemanager. projects. updatePolicyBinding
Folder Creator
(roles/ resourcemanager.folderCreator
)
Provides permissions needed to browse the hierarchy and create folders.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts. contacts. list
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Folder Editor
(roles/ resourcemanager.folderEditor
)
Provides permission to modify folders as well as to view a folder's allow policy.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts. contacts. list
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager. folders. getIamPolicy
resourcemanager.folders.list
resourcemanager. folders. searchPolicyBindings
resourcemanager. folders. undelete
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
Folder IAM Admin
(roles/ resourcemanager.folderIamAdmin
)
Provides permissions to administer allow policies on folders.
Lowest-level resources where you can grant this role:
iam.policybindings.*
resourcemanager. folders. createPolicyBinding
resourcemanager. folders. deletePolicyBinding
resourcemanager.folders.get
resourcemanager. folders. getIamPolicy
resourcemanager. folders. searchPolicyBindings
resourcemanager. folders. setIamPolicy
resourcemanager. folders. updatePolicyBinding
Folder Mover
(roles/ resourcemanager.folderMover
)
Provides permission to move projects and folders into and out of a parent
organization or folder.
Lowest-level resources where you can grant this role:
resourcemanager.folders.move
resourcemanager.projects.move
Folder Viewer
(roles/ resourcemanager.folderViewer
)
Provides permission to get a folder and list the folders and projects below
a resource.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts. contacts. list
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Project Lien Modifier
(roles/ resourcemanager.lienModifier
)
Provides access to modify Liens on projects.
Lowest-level resources where you can grant this role:
resourcemanager. projects. updateLiens
Organization Administrator
(roles/ resourcemanager.organizationAdmin
)
Access to manage IAM policies and view organization policies for organizations, folders, and projects.
Lowest-level resources where you can grant this role:
essentialcontacts.*
iam.policybindings.*
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager. folders. createPolicyBinding
resourcemanager. folders. deletePolicyBinding
resourcemanager.folders.get
resourcemanager. folders. getIamPolicy
resourcemanager.folders.list
resourcemanager. folders. searchPolicyBindings
resourcemanager. folders. setIamPolicy
resourcemanager. folders. updatePolicyBinding
resourcemanager. organizations.*
resourcemanager. projects. createPolicyBinding
resourcemanager. projects. deletePolicyBinding
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager. projects. searchPolicyBindings
resourcemanager. projects. setIamPolicy
resourcemanager. projects. updatePolicyBinding
Organization Viewer
(roles/ resourcemanager.organizationViewer
)
Provides access to view an organization.
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
Project Creator
(roles/ resourcemanager.projectCreator
)
Provides access to create new projects. Once a user creates a project,
they're automatically granted the owner role for that project.
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
resourcemanager. projects. create
Project Deleter
(roles/ resourcemanager.projectDeleter
)
Provides access to delete Google Cloud projects.
Lowest-level resources where you can grant this role:
resourcemanager. projects. delete
Project IAM Admin
(roles/ resourcemanager.projectIamAdmin
)
Provides permissions to administer allow policies on projects.
Lowest-level resources where you can grant this role:
iam.policybindings.*
resourcemanager. projects. createPolicyBinding
resourcemanager. projects. deletePolicyBinding
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager. projects. searchPolicyBindings
resourcemanager. projects. setIamPolicy
resourcemanager. projects. updatePolicyBinding
Project Mover
(roles/ resourcemanager.projectMover
)
Provides access to update and move projects.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager. projects. update
Tag Administrator
(roles/ resourcemanager.tagAdmin
)
Access to create, delete, update, and manage access to Tags
resourcemanager.tagHolds.*
resourcemanager.tagKeys.*
resourcemanager.tagValues.*
Tag Hold Administrator
(roles/ resourcemanager.tagHoldAdmin
)
Access to create, delete and list TagHolds under a TagValue
resourcemanager.tagHolds.*
Tag User
(roles/ resourcemanager.tagUser
)
Access to list Tags and manage their associations with resources
alloydb. backups. createTagBinding
alloydb. backups. deleteTagBinding
alloydb. backups. listEffectiveTags
alloydb. backups. listTagBindings
alloydb. clusters. createTagBinding
alloydb. clusters. deleteTagBinding
alloydb. clusters. listEffectiveTags
alloydb. clusters. listTagBindings
artifactregistry. repositories. createTagBinding
artifactregistry. repositories. deleteTagBinding
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
bigquery. datasets. createTagBinding
bigquery. datasets. deleteTagBinding
bigquery. datasets. listEffectiveTags
bigquery. datasets. listTagBindings
bigquery. tables. createTagBinding
bigquery. tables. deleteTagBinding
bigquery. tables. listEffectiveTags
bigquery. tables. listTagBindings
bigtable. authorizedViews. createTagBinding
bigtable. authorizedViews. deleteTagBinding
bigtable. authorizedViews. listEffectiveTags
bigtable. authorizedViews. listTagBindings
bigtable. instances. createTagBinding
bigtable. instances. deleteTagBinding
bigtable. instances. listEffectiveTags
bigtable. instances. listTagBindings
clouddeploy. deliveryPipelines. createTagBinding
clouddeploy. deliveryPipelines. deleteTagBinding
clouddeploy. deliveryPipelines. listEffectiveTags
clouddeploy. deliveryPipelines. listTagBindings
clouddeploy. targets. createTagBinding
clouddeploy. targets. deleteTagBinding
clouddeploy. targets. listEffectiveTags
clouddeploy. targets. listTagBindings
cloudkms. keyRings. createTagBinding
cloudkms. keyRings. deleteTagBinding
cloudkms. keyRings. listEffectiveTags
cloudkms. keyRings. listTagBindings
cloudsql. instances. createTagBinding
cloudsql. instances. deleteTagBinding
cloudsql. instances. listEffectiveTags
cloudsql. instances. listTagBindings
compute. addresses. createTagBinding
compute. addresses. deleteTagBinding
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute. backendBuckets. createTagBinding
compute. backendBuckets. deleteTagBinding
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute. backendServices. createTagBinding
compute. backendServices. deleteTagBinding
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. createTagBinding
compute. externalVpnGateways. deleteTagBinding
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute. firewallPolicies. createTagBinding
compute. firewallPolicies. deleteTagBinding
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute. firewalls. createTagBinding
compute. firewalls. deleteTagBinding
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute. forwardingRules. createTagBinding
compute. forwardingRules. deleteTagBinding
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute. globalAddresses. createTagBinding
compute. globalAddresses. deleteTagBinding
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. createTagBinding
compute. globalForwardingRules. deleteTagBinding
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalNetworkEndpointGroups. createTagBinding
compute. globalNetworkEndpointGroups. deleteTagBinding
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute. healthChecks. createTagBinding
compute. healthChecks. deleteTagBinding
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute. httpHealthChecks. createTagBinding
compute. httpHealthChecks. deleteTagBinding
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute. httpsHealthChecks. createTagBinding
compute. httpsHealthChecks. deleteTagBinding
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. images. createTagBinding
compute. images. deleteTagBinding
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. createTagBinding
compute. instanceGroupManagers. deleteTagBinding
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute. instanceGroups. createTagBinding
compute. instanceGroups. deleteTagBinding
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute. instances. createTagBinding
compute. instances. deleteTagBinding
compute. instances. listEffectiveTags
compute. instances. listTagBindings
compute. interconnectAttachments. createTagBinding
compute. interconnectAttachments. deleteTagBinding
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnects. createTagBinding
compute. interconnects. deleteTagBinding
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute. networkAttachments. createTagBinding
compute. networkAttachments. deleteTagBinding
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. createTagBinding
compute. networkEdgeSecurityServices. deleteTagBinding
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. createTagBinding
compute. networkEndpointGroups. deleteTagBinding
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute. networks. createTagBinding
compute. networks. deleteTagBinding
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute. packetMirrorings. createTagBinding
compute. packetMirrorings. deleteTagBinding
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute. publicDelegatedPrefixes. createTagBinding
compute. publicDelegatedPrefixes. deleteTagBinding
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. createTagBinding
compute. regionBackendServices. deleteTagBinding
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. createTagBinding
compute. regionFirewallPolicies. deleteTagBinding
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthChecks. createTagBinding
compute. regionHealthChecks. deleteTagBinding
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. createTagBinding
compute. regionNetworkEndpointGroups. deleteTagBinding
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionSecurityPolicies. createTagBinding
compute. regionSecurityPolicies. deleteTagBinding
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. createTagBinding
compute. regionSslCertificates. deleteTagBinding
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute. regionSslPolicies. createTagBinding
compute. regionSslPolicies. deleteTagBinding
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. createTagBinding
compute. regionTargetHttpProxies. deleteTagBinding
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. createTagBinding
compute. regionTargetHttpsProxies. deleteTagBinding
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. createTagBinding
compute. regionTargetTcpProxies. deleteTagBinding
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute. regionUrlMaps. createTagBinding
compute. regionUrlMaps. deleteTagBinding
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute. routers. createTagBinding
compute. routers. deleteTagBinding
compute. routers. listEffectiveTags
compute. routers. listTagBindings
compute. routes. createTagBinding
compute. routes. deleteTagBinding
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute. securityPolicies. createTagBinding
compute. securityPolicies. deleteTagBinding
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute. serviceAttachments. createTagBinding
compute. serviceAttachments. deleteTagBinding
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. snapshots. createTagBinding
compute. snapshots. deleteTagBinding
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute. sslCertificates. createTagBinding
compute. sslCertificates. deleteTagBinding
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute. sslPolicies. createTagBinding
compute. sslPolicies. deleteTagBinding
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute. subnetworks. createTagBinding
compute. subnetworks. deleteTagBinding
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute. targetGrpcProxies. createTagBinding
compute. targetGrpcProxies. deleteTagBinding
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute. targetHttpProxies. createTagBinding
compute. targetHttpProxies. deleteTagBinding
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute. targetHttpsProxies. createTagBinding
compute. targetHttpsProxies. deleteTagBinding
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute. targetInstances. createTagBinding
compute. targetInstances. deleteTagBinding
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute. targetPools. createTagBinding
compute. targetPools. deleteTagBinding
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute. targetSslProxies. createTagBinding
compute. targetSslProxies. deleteTagBinding
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute. targetTcpProxies. createTagBinding
compute. targetTcpProxies. deleteTagBinding
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute. targetVpnGateways. createTagBinding
compute. targetVpnGateways. deleteTagBinding
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute. urlMaps. createTagBinding
compute. urlMaps. deleteTagBinding
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute. vpnGateways. createTagBinding
compute. vpnGateways. deleteTagBinding
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute. vpnTunnels. createTagBinding
compute. vpnTunnels. deleteTagBinding
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
container. clusters. createTagBinding
container. clusters. deleteTagBinding
container. clusters. listEffectiveTags
container. clusters. listTagBindings
datafusion. instances. createTagBinding
datafusion. instances. deleteTagBinding
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
datastore. databases. createTagBinding
datastore. databases. deleteTagBinding
datastore. databases. listEffectiveTags
datastore. databases. listTagBindings
datastream. connectionProfiles. createTagBinding
datastream. connectionProfiles. deleteTagBinding
datastream. connectionProfiles. listEffectiveTags
datastream. connectionProfiles. listTagBindings
datastream. privateConnections. createTagBinding
datastream. privateConnections. deleteTagBinding
datastream. privateConnections. listEffectiveTags
datastream. privateConnections. listTagBindings
datastream. streams. createTagBinding
datastream. streams. deleteTagBinding
datastream. streams. listEffectiveTags
datastream. streams. listTagBindings
domains. registrations. createTagBinding
domains. registrations. deleteTagBinding
domains. registrations. listEffectiveTags
domains. registrations. listTagBindings
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file. instances. createTagBinding
file. instances. deleteTagBinding
file. instances. listEffectiveTags
file.instances.listTagBindings
file. snapshots. createTagBinding
file. snapshots. deleteTagBinding
file. snapshots. listEffectiveTags
file.snapshots.listTagBindings
iam. serviceAccounts. createTagBinding
iam. serviceAccounts. deleteTagBinding
iam. serviceAccounts. listEffectiveTags
iam. serviceAccounts. listTagBindings
logging. buckets. createTagBinding
logging. buckets. deleteTagBinding
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
managedidentities. domains. createTagBinding
managedidentities. domains. deleteTagBinding
managedidentities. domains. listEffectiveTags
managedidentities. domains. listTagBindings
redis. instances. createTagBinding
redis. instances. deleteTagBinding
redis. instances. listEffectiveTags
redis. instances. listTagBindings
resourcemanager. hierarchyNodes.*
resourcemanager.projects.get
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager. tagValueBindings.*
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager. secrets. createTagBinding
secretmanager. secrets. deleteTagBinding
secretmanager. secrets. listEffectiveTags
secretmanager. secrets. listTagBindings
spanner. instances. createTagBinding
spanner. instances. deleteTagBinding
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
storage. buckets. createTagBinding
storage. buckets. deleteTagBinding
storage. buckets. listEffectiveTags
storage. buckets. listTagBindings
workflows. workflows. createTagBinding
workflows. workflows. deleteTagBinding
workflows. workflows. listEffectiveTags
workflows. workflows. listTagBindings
Tag Viewer
(roles/ resourcemanager.tagViewer
)
Access to list Tags and their associations with resources
alloydb. backups. listEffectiveTags
alloydb. backups. listTagBindings
alloydb. clusters. listEffectiveTags
alloydb. clusters. listTagBindings
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
bigquery. datasets. listEffectiveTags
bigquery. datasets. listTagBindings
bigquery. tables. listEffectiveTags
bigquery. tables. listTagBindings
bigtable. authorizedViews. listEffectiveTags
bigtable. authorizedViews. listTagBindings
bigtable. instances. listEffectiveTags
bigtable. instances. listTagBindings
clouddeploy. deliveryPipelines. listEffectiveTags
clouddeploy. deliveryPipelines. listTagBindings
clouddeploy. targets. listEffectiveTags
clouddeploy. targets. listTagBindings
cloudkms. keyRings. listEffectiveTags
cloudkms. keyRings. listTagBindings
cloudsql. instances. listEffectiveTags
cloudsql. instances. listTagBindings
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute. instances. listEffectiveTags
compute. instances. listTagBindings
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute. routers. listEffectiveTags
compute. routers. listTagBindings
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
container. clusters. listEffectiveTags
container. clusters. listTagBindings
datafusion. instances. listEffectiveTags
datafusion. instances. listTagBindings
datastore. databases. listEffectiveTags
datastore. databases. listTagBindings
datastream. connectionProfiles. listEffectiveTags
datastream. connectionProfiles. listTagBindings
datastream. privateConnections. listEffectiveTags
datastream. privateConnections. listTagBindings
datastream. streams. listEffectiveTags
datastream. streams. listTagBindings
domains. registrations. listEffectiveTags
domains. registrations. listTagBindings
file.backups.listEffectiveTags
file.backups.listTagBindings
file. instances. listEffectiveTags
file.instances.listTagBindings
file. snapshots. listEffectiveTags
file.snapshots.listTagBindings
iam. serviceAccounts. listEffectiveTags
iam. serviceAccounts. listTagBindings
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
managedidentities. domains. listEffectiveTags
managedidentities. domains. listTagBindings
redis. instances. listEffectiveTags
redis. instances. listTagBindings
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager. hierarchyNodes. listTagBindings
resourcemanager.tagHolds.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager. secrets. listEffectiveTags
secretmanager. secrets. listTagBindings
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
storage. buckets. listEffectiveTags
storage. buckets. listTagBindings
workflows. workflows. listEffectiveTags
workflows. workflows. listTagBindings
Resource Settings roles
Permissions
Resource Settings Administrator
(roles/ resourcesettings.admin
)
Provides admin capabilities to set Resource Setting Values on resources.
Lowest-level resources where you can grant this role:
resourcesettings.*
Resource Settings Viewer
(roles/ resourcesettings.viewer
)
Provides capabilities to view Resource Settings and Resource Setting Values on resources.
resourcesettings.settings.get
resourcesettings.settings.list
Risk Manager roles
Permissions
Risk Manager Admin
Beta
(roles/ riskmanager.admin
)
Grants all Risk Manager permissions
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.*
Risk Manager Editor
Beta
(roles/ riskmanager.editor
)
Access to edit Risk Manager resources
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager. controlScoreBreakdowns.*
riskmanager.operations.*
riskmanager.policies.*
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.reports.get
riskmanager.reports.list
riskmanager. serviceAccount. create
riskmanager.settings.*
Risk Manager Report Reviewer
Beta
(roles/ riskmanager.reviewer
)
Access to review Risk Manager reports
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager. controlScoreBreakdowns.*
riskmanager.operations.get
riskmanager.operations.list
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.review
Risk Manager Viewer
Beta
(roles/ riskmanager.viewer
)
Access to view Risk Manager resources
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager. controlScoreBreakdowns.*
riskmanager.operations.get
riskmanager.operations.list
riskmanager.policies.*
riskmanager.reports.get
riskmanager.reports.list
riskmanager.settings.get
Roles roles
Permissions
Organization Role Administrator
(roles/ iam.organizationRoleAdmin
)
Provides access to administer all custom roles in the organization and the
projects below it.
Lowest-level resources where you can grant this role:
iam.roles.*
resourcemanager. organizations. get
resourcemanager. organizations. getIamPolicy
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Organization Role Viewer
(roles/ iam.organizationRoleViewer
)
Provides read access to all custom roles in the organization and the
projects below it.
Lowest-level resources where you can grant this role:
iam.roles.get
iam.roles.list
resourcemanager. organizations. get
resourcemanager. organizations. getIamPolicy
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
Role Administrator
(roles/ iam.roleAdmin
)
Provides access to all custom roles in the project.
Lowest-level resources where you can grant this role:
iam.roles.*
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
Role Viewer
(roles/ iam.roleViewer
)
Provides read access to all custom roles in the project.
Lowest-level resources where you can grant this role:
iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
Secret Manager roles
Permissions
Secret Manager Admin
(roles/ secretmanager.admin
)
Full access to administer Secret Manager resources.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.*
Secret Manager Secret Accessor
(roles/ secretmanager.secretAccessor
)
Allows accessing the payload of secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.access
Secret Manager Secret Version Adder
(roles/ secretmanager.secretVersionAdder
)
Allows adding versions to existing secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add
Secret Manager Secret Version Manager
(roles/ secretmanager.secretVersionManager
)
Allows creating and managing versions of existing secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add
secretmanager.versions.destroy
secretmanager.versions.disable
secretmanager.versions.enable
secretmanager.versions.get
secretmanager.versions.list
Secret Manager Viewer
(roles/ secretmanager.viewer
)
Allows viewing metadata of all Secret Manager resources
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.locations.*
secretmanager.secrets.get
secretmanager. secrets. getIamPolicy
secretmanager.secrets.list
secretmanager. secrets. listEffectiveTags
secretmanager. secrets. listTagBindings
secretmanager.versions.get
secretmanager.versions.list
Secure Source Manager roles
Permissions
Secure Source Manager Admin
Beta
(roles/ securesourcemanager.admin
)
Full access to all Secure Source Manager resources.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.*
Secure Source Manager Instance Accessor
Beta
(roles/ securesourcemanager.instanceAccessor
)
An instance accessor can access an instance, but not necessarily create resources in the instance.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. instances. access
securesourcemanager. sshkeys. create
securesourcemanager. sshkeys. delete
securesourcemanager. sshkeys. get
securesourcemanager. sshkeys. list
Secure Source Manager Instance Manager
Beta
(roles/ securesourcemanager.instanceManager
)
Read-write access to all Secure Source Manager resources (full control except for the ability to modify permissions).
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. instances. access
securesourcemanager. instances. createRepository
securesourcemanager. instances. delete
securesourcemanager. instances. get
securesourcemanager. instances. list
securesourcemanager. locations.*
securesourcemanager. operations.*
securesourcemanager.sshkeys.*
Secure Source Manager Instance Owner
Beta
(roles/ securesourcemanager.instanceOwner
)
Full control over Secure Source Manager instances, including listing, creating, and deleting them. Also enables instance user management.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. instances.*
securesourcemanager. locations.*
securesourcemanager. operations.*
securesourcemanager.sshkeys.*
Secure Source Manager Instance Repository Creator
Beta
(roles/ securesourcemanager.instanceRepositoryCreator
)
An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. instances. access
securesourcemanager. instances. createRepository
securesourcemanager. sshkeys. create
securesourcemanager. sshkeys. delete
securesourcemanager. sshkeys. get
securesourcemanager. sshkeys. list
Secure Source Manager Repository Admin
Beta
(roles/ securesourcemanager.repoAdmin
)
A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. branchRules.*
securesourcemanager. repositories.*
Secure Source Manager Repository Creator
Beta
(roles/ securesourcemanager.repoCreator
)
A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. repositories. create
Secure Source Manager Repository Pull Request Approver
Beta
(roles/ securesourcemanager.repoPullRequestApprover
)
A pull request approver can approve pull requests in a repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. repositories. approvePullRequests
Secure Source Manager Repository Reader
Beta
(roles/ securesourcemanager.repoReader
)
A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. branchRules. get
securesourcemanager. branchRules. list
securesourcemanager. repositories. fetch
securesourcemanager. repositories. get
securesourcemanager. repositories. list
securesourcemanager. repositories. readIssues
securesourcemanager. repositories. readPullRequests
Secure Source Manager Repository Writer
Beta
(roles/ securesourcemanager.repoWriter
)
A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. branchRules. get
securesourcemanager. branchRules. list
securesourcemanager. repositories. fetch
securesourcemanager. repositories. get
securesourcemanager. repositories. list
securesourcemanager. repositories. push
securesourcemanager. repositories. readIssues
securesourcemanager. repositories. readPullRequests
securesourcemanager. repositories. writeIssues
securesourcemanager. repositories. writePullRequests
Secure Source Manager SSH Key User
Beta
(roles/ securesourcemanager.sshKeyUser
)
An sshKeyUser can create SSH keys for themselves and list/delete SSH keys they own.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager. sshkeys. create
securesourcemanager. sshkeys. delete
securesourcemanager. sshkeys. get
securesourcemanager. sshkeys. list
Security Center roles
Permissions
Security Center Admin
(roles/ securitycenter.admin
)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset. assets. searchEnrichmentResourceOwners
cloudsecurityscanner.*
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycentermanagement.*
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/ securitycenter.adminEditor
)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset. assets. searchEnrichmentResourceOwners
cloudsecurityscanner.*
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter. assetsecuritymarks. update
securitycenter. attackpaths. list
securitycenter. bigQueryExports.*
securitycenter. complianceReports. aggregate
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter. findingexternalsystems. update
securitycenter.findings.*
securitycenter. findingsecuritymarks. update
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.*
securitycenter. notificationconfig.*
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs.*
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/ securitycenter.adminViewer
)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset. assets. searchEnrichmentResourceOwners
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. attackpaths. list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. complianceReports. aggregate
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/ securitycenter.assetSecurityMarksWriter
)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter. assetsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Assets Discovery Runner
(roles/ securitycenter.assetsDiscoveryRunner
)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter. assets. runDiscovery
securitycenter. userinterfacemetadata. get
Security Center Assets Viewer
(roles/ securitycenter.assetsViewer
)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset. assets. searchEnrichmentResourceOwners
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. userinterfacemetadata. get
Security Center Attack Paths Reader
(roles/ securitycenter.attackPathsViewer
)
Read access to security center attack paths
securitycenter. attackpaths. list
Security Center BigQuery Exports Editor
(roles/ securitycenter.bigQueryExportsEditor
)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
Security Center BigQuery Exports Viewer
(roles/ securitycenter.bigQueryExportsViewer
)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
Security Center Compliance Reports Viewer
Beta
(roles/ securitycenter.complianceReportsViewer
)
Read access to security center compliance reports
securitycenter. complianceReports. aggregate
Security Center Compliance Snapshots Viewer
Beta
(roles/ securitycenter.complianceSnapshotsViewer
)
Read access to security center compliance snapshots
securitycenter. complianceReports. aggregate
securitycenter. compliancesnapshots. list
Security Center External Systems Editor
(roles/ securitycenter.externalSystemsEditor
)
Write access to security center external systems
securitycenter. findingexternalsystems. update
Security Center Finding Security Marks Writer
(roles/ securitycenter.findingSecurityMarksWriter
)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter. findingsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Findings Bulk Mute Editor
(roles/ securitycenter.findingsBulkMuteEditor
)
Ability to mute findings in bulk
securitycenter. findings. bulkMuteUpdate
Security Center Findings Editor
(roles/ securitycenter.findingsEditor
)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. complianceReports. aggregate
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
securitycenter. vulnerabilitysnapshots. list
Security Center Findings Mute Setter
(roles/ securitycenter.findingsMuteSetter
)
Set mute access to findings
securitycenter. findings. setMute
Security Center Findings State Setter
(roles/ securitycenter.findingsStateSetter
)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setState
securitycenter. userinterfacemetadata. get
Security Center Findings Viewer
(roles/ securitycenter.findingsViewer
)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. complianceReports. aggregate
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
securitycenter. vulnerabilitysnapshots. list
Security Center Findings Workflow State Setter
Beta
(roles/ securitycenter.findingsWorkflowStateSetter
)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setWorkflowState
securitycenter. userinterfacemetadata. get
Security Center Mute Configurations Editor
(roles/ securitycenter.muteConfigsEditor
)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
Security Center Mute Configurations Viewer
(roles/ securitycenter.muteConfigsViewer
)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
Security Center Notification Configurations Editor
(roles/ securitycenter.notificationConfigEditor
)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig.*
securitycenter. userinterfacemetadata. get
Security Center Notification Configurations Viewer
(roles/ securitycenter.notificationConfigViewer
)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. userinterfacemetadata. get
Security Center Resource Value Configurations Editor
(roles/ securitycenter.resourceValueConfigsEditor
)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs.*
Security Center Resource Value Configurations Viewer
(roles/ securitycenter.resourceValueConfigsViewer
)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
Security Health Analytics Custom Modules Tester
(roles/ securitycenter.securityHealthAnalyticsCustomModulesTester
)
Test access to Security Health Analytics Custom Modules
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Settings Admin
(roles/ securitycenter.settingsAdmin
)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. billingtier. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. eventthreatdetectionsettings.*
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter.muteconfigs.*
securitycenter. notificationconfig.*
securitycenter. organizationsettings.*
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. securitycentersettings.*
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. websecurityscannersettings.*
securitycentermanagement.*
Security Center Settings Editor
(roles/ securitycenter.settingsEditor
)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. billingtier. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. eventthreatdetectionsettings.*
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter.muteconfigs.*
securitycenter. notificationconfig.*
securitycenter. organizationsettings.*
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. securitycentersettings.*
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. websecurityscannersettings.*
securitycentermanagement.*
Security Center Settings Viewer
(roles/ securitycenter.settingsViewer
)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Simulations Reader
(roles/ securitycenter.simulationsViewer
)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/ securitycenter.sourcesAdmin
)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.*
securitycenter. userinterfacemetadata. get
Security Center Sources Editor
(roles/ securitycenter.sourcesEditor
)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. userinterfacemetadata. get
Security Center Sources Viewer
(roles/ securitycenter.sourcesViewer
)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
Security Center Valued Resources Reader
(roles/ securitycenter.valuedResourcesViewer
)
Read access to security center valued resources
securitycenter. valuedresources. list
Security Center Management Admin
(roles/ securitycentermanagement.admin
)
Full access to manage Cloud Security Command Center services and custom modules configuration.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. organizationsettings.*
securitycenter. securitycentersettings.*
securitycentermanagement.*
Security Center Management Custom Modules Editor
(roles/ securitycentermanagement.customModulesEditor
)
Full access to manage Cloud Security Command Center custom modules.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules.*
securitycentermanagement. locations.*
securitycentermanagement. securityHealthAnalyticsCustomModules.*
Security Center Management Custom Modules Viewer
(roles/ securitycentermanagement.customModulesViewer
)
Readonly access to Cloud Security Command Center custom modules.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Management Custom ETD Modules Editor
(roles/ securitycentermanagement.etdCustomModulesEditor
)
Full access to manage Cloud Security Command Center ETD custom modules.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules.*
securitycentermanagement. locations.*
Security Center Management ETD Custom Modules Viewer
(roles/ securitycentermanagement.etdCustomModulesViewer
)
Readonly access to Cloud Security Command Center ETD custom modules.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
Security Center Management Services Editor
(roles/ securitycentermanagement.securityCenterServicesEditor
)
Full access to manage Cloud Security Command Center services configuration.
securitycentermanagement. securityCenterServices.*
Security Center Management Services Viewer
(roles/ securitycentermanagement.securityCenterServicesViewer
)
Readonly access to Cloud Security Command Center services configuration.
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
Security Center Management Settings Editor
(roles/ securitycentermanagement.settingsEditor
)
Full access to manage Cloud Security Command Center settings
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. organizationsettings.*
securitycenter. securitycentersettings.*
securitycentermanagement.*
Security Center Management Settings Viewer
(roles/ securitycentermanagement.settingsViewer
)
Readonly access to Cloud Security Command Center settings
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. organizationsettings. get
securitycenter. securitycentersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Management SHA Custom Modules Editor
(roles/ securitycentermanagement.shaCustomModulesEditor
)
Full access to manage Cloud Security Command Center SHA custom modules.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. locations.*
securitycentermanagement. securityHealthAnalyticsCustomModules.*
Security Center Management SHA Custom Modules Viewer
(roles/ securitycentermanagement.shaCustomModulesViewer
)
Readonly access to Cloud Security Command Center SHA custom modules.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. locations.*
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Management Viewer
(roles/ securitycentermanagement.viewer
)
Readonly access to Cloud Security Command Center services and custom modules configuration.
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. organizationsettings. get
securitycenter. securitycentersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Serverless VPC Access roles
Permissions
Serverless VPC Access Admin
(roles/ vpcaccess.admin
)
Full access to all Serverless VPC Access resources
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.*
Serverless VPC Access User
(roles/ vpcaccess.user
)
User of Serverless VPC Access connectors
compute.networks.access
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.connectors.use
vpcaccess.locations.list
vpcaccess.operations.*
Serverless VPC Access Viewer
(roles/ vpcaccess.viewer
)
Viewer of all Serverless VPC Access resources
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.*
Service Accounts roles
Permissions
Service Account Admin
(roles/ iam.serviceAccountAdmin
)
Create and manage service accounts.
Lowest-level resources where you can grant this role:
iam.serviceAccounts.create
iam. serviceAccounts. createTagBinding
iam.serviceAccounts.delete
iam. serviceAccounts. deleteTagBinding
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam. serviceAccounts. getIamPolicy
iam.serviceAccounts.list
iam. serviceAccounts. listEffectiveTags
iam. serviceAccounts. listTagBindings
iam. serviceAccounts. setIamPolicy
iam.serviceAccounts.undelete
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
Create Service Accounts
(roles/ iam.serviceAccountCreator
)
Access to create service accounts.
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Delete Service Accounts
(roles/ iam.serviceAccountDeleter
)
Access to delete service accounts.
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Key Admin
(roles/ iam.serviceAccountKeyAdmin
)
Create and manage (and rotate) service account keys.
Lowest-level resources where you can grant this role:
iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account OpenID Connect Identity Token Creator
(roles/ iam.serviceAccountOpenIdTokenCreator
)
Create OpenID Connect (OIDC) identity tokens
iam. serviceAccounts. getOpenIdToken
Service Account Token Creator
(roles/ iam.serviceAccountTokenCreator
)
Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).
Lowest-level resources where you can grant this role:
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam. serviceAccounts. implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Service Account User
(roles/ iam.serviceAccountUser
)
Run operations as the service account.
Lowest-level resources where you can grant this role:
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
View Service Accounts
(roles/ iam.serviceAccountViewer
)
Read access to service accounts, metadata, and keys.
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam. serviceAccounts. getIamPolicy
iam.serviceAccounts.list
iam. serviceAccounts. listEffectiveTags
iam. serviceAccounts. listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
Workload Identity User
(roles/ iam.workloadIdentityUser
)
Impersonate service accounts from federated workloads.
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam.serviceAccounts.list
Service Agents roles
Permissions
Warning: Do not grant service agent roles to any principals except
service agents . Some
service agent roles contain very powerful permissions, and the permissions within these roles
can change without notice. Instead, choose a different
predefined role , or create a
custom role with the permissions you need.
(roles/ aiplatform.batchPredictionServiceAgent
)
Vertex AI Batch Prediction Service Agent for serving batch prediction requests.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.create
bigquery.models.export
bigquery.models.getData
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery. tables. restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/ aiplatform.colabServiceAgent
)
Gives Vertex AI Colab the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute. instances. getGuestAttributes
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.networks.get
compute.networks.use
compute.networks.useExternalIp
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
iam.serviceAccounts.actAs
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
(roles/ aiplatform.customCodeServiceAgent
)
Gives Vertex AI Custom Code the proper permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform. batchPredictionJobs.*
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform. deploymentResourcePools.*
aiplatform. edgeDeploymentJobs.*
aiplatform. edgeDeviceDebugInfo. get
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform. entityTypes. deleteFeatureValues
aiplatform. entityTypes. exportFeatureValues
aiplatform.entityTypes.get
aiplatform. entityTypes. importFeatureValues
aiplatform.entityTypes.list
aiplatform. entityTypes. readFeatureValues
aiplatform. entityTypes. streamingReadFeatureValues
aiplatform.entityTypes.update
aiplatform. entityTypes. writeFeatureValues
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.featureGroups.*
aiplatform. featureOnlineStores. create
aiplatform. featureOnlineStores. delete
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform. featureOnlineStores. update
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform. featurestores. batchReadFeatureValues
aiplatform. featurestores. create
aiplatform. featurestores. delete
aiplatform. featurestores. exportFeatures
aiplatform.featurestores.get
aiplatform. featurestores. importFeatures
aiplatform.featurestores.list
aiplatform. featurestores. readFeatures
aiplatform. featurestores. update
aiplatform. featurestores. writeFeatures
aiplatform.humanInTheLoops.*
aiplatform. hyperparameterTuningJobs.*
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform. modelDeploymentMonitoringJobs.*
aiplatform. modelEvaluationSlices.*
aiplatform.modelEvaluations.*
aiplatform. modelMonitoringJobs.*
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform. notebookExecutionJobs.*
aiplatform. notebookRuntimeTemplates. apply
aiplatform. notebookRuntimeTemplates. create
aiplatform. notebookRuntimeTemplates. delete
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimeTemplates. update
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform. persistentResources. get
aiplatform. persistentResources. list
aiplatform.pipelineJobs.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform. tensorboardExperiments.*
aiplatform.tensorboardRuns.*
aiplatform. tensorboardTimeSeries.*
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry.tags.get
artifactregistry.versions.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam. serviceAccounts. implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/ aiplatform.extensionCustomCodeServiceAgent
)
Gives Vertex AI Extension that executes custom code the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
(roles/ aiplatform.extensionServiceAgent
)
Gives Vertex AI Extension the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
aiplatform.locations.get
discoveryengine. servingConfigs. search
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
logging.logEntries.create
logging.logEntries.route
serviceusage.services.use
storage.objects.get
(roles/ aiplatform.modelMonitoringServiceAgent
)
Gives Vertex AI Model Monitoring the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform. batchPredictionJobs. create
aiplatform. batchPredictionJobs. get
aiplatform. batchPredictionJobs. list
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
monitoring. notificationChannels. get
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/ aiplatform.notebookServiceAgent
)
Vertex AI Service Agent used to run Notebook managed resources in user project with restricted permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
(roles/ aiplatform.onlinePredictionServiceAgent
)
Gives Vertex AI Online Prediction the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub. memberships. getIamPolicy
gkehub.memberships.list
serviceusage.services.get
(roles/ aiplatform.ragServiceAgent
)
Vertex AI Service Agent used by Vertex RAG to access user imported data, Vertex AI, Document AI processors in the project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.models.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery. tables. restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
documentai. processorVersions. processOnline
documentai.processors.get
documentai. processors. processOnline
logging.logEntries.create
logging.logEntries.route
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
(roles/ aiplatform.rapidevalServiceAgent
)
Vertex AI Service Agent used by GenAI Rapid Evaluation Service to access publisher model endpoints in the user project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
(roles/ aiplatform.reasoningEngineServiceAgent
)
Gives Vertex AI Reasoning Engine the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
cloudtrace.traces.patch
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
serviceusage.services.use
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
(roles/ aiplatform.serviceAgent
)
Gives Vertex AI the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform. batchPredictionJobs.*
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform. deploymentResourcePools.*
aiplatform. edgeDeploymentJobs.*
aiplatform. edgeDeviceDebugInfo. get
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform. entityTypes. deleteFeatureValues
aiplatform. entityTypes. exportFeatureValues
aiplatform.entityTypes.get
aiplatform. entityTypes. importFeatureValues
aiplatform.entityTypes.list
aiplatform. entityTypes. readFeatureValues
aiplatform. entityTypes. streamingReadFeatureValues
aiplatform.entityTypes.update
aiplatform. entityTypes. writeFeatureValues
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.featureGroups.*
aiplatform. featureOnlineStores. create
aiplatform. featureOnlineStores. delete
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform. featureOnlineStores. update
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform. featurestores. batchReadFeatureValues
aiplatform. featurestores. create
aiplatform. featurestores. delete
aiplatform. featurestores. exportFeatures
aiplatform.featurestores.get
aiplatform. featurestores. importFeatures
aiplatform.featurestores.list
aiplatform. featurestores. readFeatures
aiplatform. featurestores. update
aiplatform. featurestores. writeFeatures
aiplatform.humanInTheLoops.*
aiplatform. hyperparameterTuningJobs.*
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform. modelDeploymentMonitoringJobs.*
aiplatform. modelEvaluationSlices.*
aiplatform.modelEvaluations.*
aiplatform. modelMonitoringJobs.*
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform. notebookExecutionJobs.*
aiplatform. notebookRuntimeTemplates. apply
aiplatform. notebookRuntimeTemplates. create
aiplatform. notebookRuntimeTemplates. delete
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimeTemplates. update
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform. persistentResources. get
aiplatform. persistentResources. list
aiplatform.pipelineJobs.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform. tensorboardExperiments.*
aiplatform.tensorboardRuns.*
aiplatform. tensorboardTimeSeries.*
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. uploadArtifacts
artifactregistry.tags.get
artifactregistry.versions.get
automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.tableSpecs.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.create
bigquery.models.export
bigquery.models.getData
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute. instances. getGuestAttributes
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.machineTypes.get
compute.networks.get
compute.networks.use
compute.networks.useExternalIp
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
datalabeling. annotateddatasets. get
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.operations.get
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
logging.logEntries.create
logging.logEntries.route
ml.models.list
ml.operations.get
ml.versions.get
ml.versions.list
monitoring. notificationChannels. get
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
run.executions.delete
run.executions.get
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.run
run.jobs.update
run.operations.delete
run.operations.get
run.routes.invoke
run.services.create
run.services.delete
run.services.get
serviceusage.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/ aiplatform.tuningServiceAgent
)
Vertex AI Service Agent used for tuning in user project.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.artifacts.*
aiplatform. batchPredictionJobs. cancel
aiplatform. batchPredictionJobs. create
aiplatform. batchPredictionJobs. get
aiplatform.contexts.*
aiplatform.endpoints.create
aiplatform.endpoints.deploy
aiplatform.endpoints.get
aiplatform.locations.get
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.models.get
aiplatform.models.update
aiplatform.models.upload
aiplatform.operations.list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform. tensorboardExperiments.*
aiplatform.tensorboardRuns.*
aiplatform. tensorboardTimeSeries.*
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.tuningJobs.*
resourcemanager.projects.get
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update
AlloyDB Service Agent
(roles/ alloydb.serviceAgent
)
Gives the AlloyDB service account permission to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
alloydb.clusters.list
Anthos Service Agent
(roles/ anthos.serviceAgent
)
Gives the Anthos service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceusage.services.get
serviceusage.services.list
Anthos Audit Service Agent
(roles/ anthosaudit.serviceAgent
)
Gives the Anthos Audit service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Config Management Service Agent
(roles/ anthosconfigmanagement.serviceAgent
)
Gives the Anthos Config Management service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Identity Service Agent
(roles/ anthosidentityservice.serviceAgent
)
Gives the Anthos Identity service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Policy Controller Service Agent
(roles/ anthospolicycontroller.serviceAgent
)
Gives the Anthos Policy Controller service agent access toCloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Service Mesh Service Agent
(roles/ anthosservicemesh.serviceAgent
)
Gives the Anthos Service Mesh service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute. globalNetworkEndpointGroups. attachNetworkEndpoints
compute. globalNetworkEndpointGroups. create
compute. globalNetworkEndpointGroups. delete
compute. globalNetworkEndpointGroups. detachNetworkEndpoints
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. use
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute. healthChecks. useReadOnly
compute. networkEndpointGroups. attachNetworkEndpoints
compute. networkEndpointGroups. create
compute. networkEndpointGroups. delete
compute. networkEndpointGroups. detachNetworkEndpoints
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. use
compute.networks.updatePolicy
compute. regionNetworkEndpointGroups. attachNetworkEndpoints
compute. regionNetworkEndpointGroups. create
compute. regionNetworkEndpointGroups. delete
compute. regionNetworkEndpointGroups. detachNetworkEndpoints
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. use
compute.regions.list
compute.zones.list
container.backendConfigs.*
container. clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.clusters.update
container.configMaps.*
container. customResourceDefinitions. create
container. customResourceDefinitions. get
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.deployments.get
container.deployments.list
container.events.get
container.events.list
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.list
container.jobs.update
container. mutatingWebhookConfigurations. create
container. mutatingWebhookConfigurations. get
container. mutatingWebhookConfigurations. list
container. mutatingWebhookConfigurations. update
container.namespaces.create
container.namespaces.get
container.namespaces.list
container.operations.get
container.pods.get
container.pods.list
container.secrets.*
container. serviceAccounts. create
container. serviceAccounts. delete
container.serviceAccounts.get
container.serviceAccounts.list
container. serviceAccounts. update
container.services.get
container.services.list
container. thirdPartyObjects. create
container. thirdPartyObjects. get
container. thirdPartyObjects. list
container. thirdPartyObjects. update
container. validatingWebhookConfigurations.*
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
logging.logEntries.create
meshconfig.projects.init
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
networksecurity. authorizationPolicies. create
networksecurity. authorizationPolicies. delete
networksecurity. authorizationPolicies. get
networksecurity. authorizationPolicies. list
networksecurity. authorizationPolicies. update
networksecurity. authorizationPolicies. use
networksecurity. clientTlsPolicies. create
networksecurity. clientTlsPolicies. delete
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. list
networksecurity. clientTlsPolicies. update
networksecurity. clientTlsPolicies. use
networksecurity.operations.*
networksecurity. serverTlsPolicies. create
networksecurity. serverTlsPolicies. delete
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. list
networksecurity. serverTlsPolicies. update
networksecurity. serverTlsPolicies. use
networkservices. endpointPolicies.*
networkservices.gateways.*
networkservices.grpcRoutes.*
networkservices.httpFilters.*
networkservices.httpRoutes.*
networkservices.meshes.*
networkservices.operations.*
networkservices. serviceLbPolicies.*
networkservices.tcpRoutes.*
networkservices.tlsRoutes.*
serviceusage.services.get
serviceusage.services.use
trafficdirector.*
workloadcertificate. locations.*
workloadcertificate. operations. get
workloadcertificate. workloadCertificateFeature. get
workloadcertificate. workloadRegistrations. create
workloadcertificate. workloadRegistrations. get
workloadcertificate. workloadRegistrations. list
Anthos Support Service Agent
(roles/ anthossupport.serviceAgent
)
Gives the Anthos Support Service Agent access to Cloud Platform resource.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub. scopes. listBoundMemberships
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Cloud API Gateway Service Agent
(roles/ apigateway.serviceAgent
)
Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
servicemanagement. services. check
servicemanagement. services. quota
servicemanagement. services. report
Cloud API Gateway Management Service Agent
(roles/ apigateway_management.serviceAgent
)
Gives Cloud API Gateway service account access to retrieve a Service configuration.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.get
servicemanagement. services. create
servicemanagement. services. delete
servicemanagement.services.get
servicemanagement. services. list
servicemanagement. services. update
serviceusage.services.get
Apigee Service Agent
(roles/ apigee.serviceAgent
)
Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.
Warning: Do not grant service agent roles to any principals except
service agents .
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.create
apigee.appkeys.delete
apigee.appkeys.manage
apigee.apps.get
apigee.canaryevaluations.*
apigee.developerapps.*
apigee.developers.create
apigee.developers.delete
apigee.developers.get
apigee.environments.get
apigee. environments. getDataLocation
apigee. environments. manageRuntime
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.proxyrevisions.get
apigee.runtimeconfigs.get
cloudtrace.traces.patch
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.views.create
logging.views.get
logging.views.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
API-Hub Runtime Project Service Agent
(roles/ apihub.runtimeProjectServiceAgent
)
Gives API-Hub Service Account access to runtime project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
apigee.deployments.list
apigee. envgroupattachments. list
apigee.envgroups.list
apigee.environments.get
apigee.organizations.get
apigee.proxyrevisions.get
APIM API Discovery Service Agent
(roles/ apim.apiDiscoveryServiceAgent
)
Gives APIM the ability to manage resources in consumer project
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.networks.use
compute. regionBackendServices. create
compute. regionBackendServices. delete
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. update
compute. regionBackendServices. use
compute. regionNetworkEndpointGroups. attachNetworkEndpoints
compute. regionNetworkEndpointGroups. create
compute. regionNetworkEndpointGroups. delete
compute. regionNetworkEndpointGroups. detachNetworkEndpoints
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. use
compute.regionOperations.get
compute.subnetworks.use
networkservices.operations.*
App Development Experience Service Agent
(roles/ appdevelopmentexperience.serviceAgent
)
Give the App Development Experience service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
container.clusters.update
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
App Engine Standard Environment Service Agent
(roles/ appengine.serviceAgent
)
Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry. aptartifacts. create
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry. yumartifacts. create
datastore.databases.get
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam.serviceAccounts.signBlob
serviceusage.services.enable
serviceusage.services.get
storage.buckets.create
storage.buckets.get
App Engine flexible environment Service Agent
(roles/ appengineflex.serviceAgent
)
Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. projectsettings. get
artifactregistry. repositories. create
artifactregistry. repositories. get
artifactregistry. repositories. uploadArtifacts
billing.accounts.get
cloudbuild.builds.create
cloudbuild.builds.get
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.update
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.disks.create
compute.disks.list
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.use
compute. globalForwardingRules. create
compute. globalForwardingRules. delete
compute. globalForwardingRules. get
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.update
compute. healthChecks. useReadOnly
compute. httpHealthChecks. create
compute. httpHealthChecks. delete
compute.httpHealthChecks.get
compute.httpHealthChecks.use
compute. httpHealthChecks. useReadOnly
compute. httpsHealthChecks. create
compute. httpsHealthChecks. delete
compute.httpsHealthChecks.get
compute. httpsHealthChecks. update
compute.httpsHealthChecks.use
compute. httpsHealthChecks. useReadOnly
compute.images.get
compute.images.useReadOnly
compute. instanceGroupManagers. create
compute. instanceGroupManagers. delete
compute. instanceGroupManagers. get
compute. instanceGroupManagers. update
compute. instanceGroupManagers. use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceGroups.use
compute. instanceTemplates. create
compute. instanceTemplates. delete
compute.instanceTemplates.get
compute. instanceTemplates. useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute. instances. getGuestAttributes
compute. instances. getSerialPortOutput
compute.instances.list
compute.instances.reset
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.use
compute.machineTypes.get
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. regionBackendServices. create
compute. regionBackendServices. delete
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. update
compute. regionBackendServices. use
compute.regionOperations.get
compute.regions.get
compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute. targetHttpProxies. create
compute. targetHttpProxies. delete
compute.targetHttpProxies.get
compute.targetHttpProxies.use
compute. targetHttpsProxies. create
compute. targetHttpsProxies. delete
compute.targetHttpsProxies.get
compute. targetHttpsProxies. setSslCertificates
compute.targetHttpsProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.update
compute.urlMaps.use
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
deploymentmanager. compositeTypes. get
deploymentmanager. deployments. create
deploymentmanager. deployments. delete
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager. deployments. update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager. typeProviders. create
deploymentmanager. typeProviders. get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager. projects. setIamPolicy
serviceusage.services.enable
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Artifact Registry Service Agent
(roles/ artifactregistry.serviceAgent
)
Gives the Artifact Registry service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. versions. delete
pubsub.topics.publish
Assured Workloads Monitoring Service Agent
(roles/ assuredworkloads.monitoringServiceAgent
)
Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. exportResource
cloudasset.assets.listResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
Assured Workloads Service Agent
(roles/ assuredworkloads.serviceAgent
)
Gives the Assured Workloads service account access to create KMS keyrings and keys, monitor Assured Workloads and read Organization Policies.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudkms.cryptoKeys.create
cloudkms.keyRings.create
orgpolicy.policies.list
orgpolicy.policy.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
Audit Manager Auditing Service Agent
(roles/ auditmanager.serviceAgent
)
Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
certificatemanager.certs.list
certificatemanager. trustconfigs. list
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudkms.cryptoKeys.list
cloudsql.instances.get
cloudsql.instances.list
compute.autoscalers.list
compute.backendServices.list
compute.disks.list
compute.firewallPolicies.list
compute.firewalls.list
compute.forwardingRules.list
compute. globalForwardingRules. list
compute. instanceGroupManagers. list
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.regionSslPolicies.list
compute. regionTargetHttpProxies. list
compute.regionUrlMaps.list
compute.routers.list
compute.securityPolicies.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetSslProxies.list
compute.urlMaps.list
compute.vpnGateways.list
compute.zones.list
container.clusters.get
container.clusters.list
dns.managedZones.list
iam. serviceAccounts. getIamPolicy
logging.buckets.list
monitoring.timeSeries.list
orgpolicy.policy.get
privateca.certificates.list
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
resourcemanager.folders.get
resourcemanager. folders. getIamPolicy
resourcemanager.folders.list
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager. hierarchyNodes. listTagBindings
resourcemanager. organizations. get
resourcemanager. organizations. getIamPolicy
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager.tagHolds.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.get
resourcemanager.tagValues.list
secretmanager.secrets.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
AutoML Service Agent
(roles/ automl.serviceAgent
)
AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
serviceusage.services.use
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Recommendations AI Service Agent
(roles/ automlrecommendations.serviceAgent
)
Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
cloudnotifications. activities. list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
opsconfigmonitoring. resourceMetadata. list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver. resourceMetadata. list
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Backup and DR Service Agent
(roles/ backupdr.serviceAgent
)
Grants the Backup and DR Service access to protect Compute Engine instances.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ baremetalsolution.serviceAgent
)
Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.
Warning: Do not grant service agent roles to any principals except
service agents .
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
resourcemanager.projects.get
Google Batch Service Agent
(roles/ batch.serviceAgent
)
Gives Google Batch account access to manage customer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.diskTypes.*
compute. disks. addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. disks. removeResourcePolicies
compute.disks.resize
compute.disks.setLabels
compute. disks. startAsyncReplication
compute. disks. stopAsyncReplication
compute. disks. stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute.globalAddresses.use
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.create
compute. images. createTagBinding
compute.images.delete
compute. images. deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute.images.setLabels
compute.images.update
compute.images.useReadOnly
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute. instanceTemplates. create
compute. instanceTemplates. delete
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute. instanceTemplates. useReadOnly
compute. instances. addAccessConfig
compute. instances. addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute. instances. deleteAccessConfig
compute. instances. deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute. instances. pscInterfaceCreate
compute. instances. removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute. instances. sendDiagnosticInterrupt
compute. instances. setDeletionProtection
compute. instances. setDiskAutoDelete
compute.instances.setLabels
compute. instances. setMachineResources
compute. instances. setMachineType
compute.instances.setMetadata
compute. instances. setMinCpuPlatform
compute.instances.setName
compute. instances. setScheduling
compute. instances. setSecurityPolicy
compute. instances. setServiceAccount
compute. instances. setShieldedInstanceIntegrityPolicy
compute. instances. setShieldedVmIntegrityPolicy
compute.instances.setTags
compute. instances. simulateMaintenanceEvent
compute.instances.start
compute. instances. startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute. instances. updateAccessConfig
compute. instances. updateDisplayDevice
compute. instances. updateNetworkInterface
compute. instances. updateSecurity
compute. instances. updateShieldedInstanceConfig
compute. instances. updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly
compute. instantSnapshots. create
compute. instantSnapshots. delete
compute. instantSnapshots. export
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. instantSnapshots. setLabels
compute. instantSnapshots. useReadOnly
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute. machineImages. useReadOnly
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute.regionOperations.list
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute. resourcePolicies. create
compute. resourcePolicies. delete
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute. resourcePolicies. update
compute.resourcePolicies.use
compute. resourcePolicies. useReadOnly
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshots.create
compute. snapshots. createTagBinding
compute.snapshots.delete
compute. snapshots. deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
BigQuery Connection Service Agent
(roles/ bigqueryconnection.serviceAgent
)
Gives BigQuery Connection Service access to Cloud SQL instances in user projects.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.connect
cloudsql.instances.get
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
BigQuery Continuous Query Service Agent
(roles/ bigquerycontinuousquery.serviceAgent
)
Gives BigQuery Continuous Query access to the service accounts in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
iam. serviceAccounts. getAccessToken
BigQuery Data Transfer Service Agent
(roles/ bigquerydatatransfer.serviceAgent
)
Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.jobs.create
compute.networkAttachments.get
compute. networkAttachments. update
compute.regionOperations.get
compute.subnetworks.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
iam. serviceAccounts. getAccessToken
logging.logEntries.create
logging.logEntries.route
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Omni Service Agent
(roles/ bigqueryomni.serviceAgent
)
Gives BigQuery Omni access to tables in user projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.jobs.create
bigquery.tables.updateData
BigQuery Spark Service Agent
(roles/ bigqueryspark.serviceAgent
)
Gives BigQuery Spark access to the service accounts in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
iam. serviceAccounts. getAccessToken
Binary Authorization Service Agent
(roles/ binaryauthorization.serviceAgent
)
Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. dockerimages. get
artifactregistry. repositories. downloadArtifacts
binaryauthorization. attestors. get
binaryauthorization. attestors. list
binaryauthorization. attestors. verifyImageAttested
binaryauthorization. platformPolicies. evaluatePolicy
binaryauthorization. policy. evaluatePolicy
cloudasset. assets. exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis. notes. listOccurrences
containeranalysis. occurrences. get
containeranalysis. occurrences. list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.list
Blockchain Node Engine Service Agent
(roles/ blockchainnodeengine.serviceAgent
)
Grants Blockchain Node Engine access to metrics in user project
Warning: Do not grant service agent roles to any principals except
service agents .
monitoring.timeSeries.list
Certificate Manager Service Agent
(roles/ certificatemanager.serviceAgent
)
Grants Certificate Manager access to services and APIs in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
certificatemanager. locations. get
Chronicle Service Agent
(roles/ chronicle.serviceAgent
)
Grants Chronicle scoped access to customer project
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery. connections. getIamPolicy
bigquery.connections.list
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use
bigquery.datasets.create
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
chronicle.instances.get
monitoring.alertPolicies.*
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
Chronicle SOAR Service Agent
(roles/ chronicle.soarServiceAgent
)
Gives Chronicle SOAR the ability to perform remediation on Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. analyzeIamPolicy
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
compute.firewalls.get
compute.firewalls.update
compute. instances. deleteAccessConfig
compute.instances.get
compute.instances.list
compute.instances.stop
compute. instances. updateNetworkInterface
compute.networks.updatePolicy
compute.zones.list
iam.serviceAccounts.disable
iam.serviceAccounts.list
recommender. iamPolicyRecommendations.*
resourcemanager. organizations. getIamPolicy
securitycenter. findingexternalsystems. update
securitycenter.findings.list
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. update
securitycenter.sources.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.update
CIEM Service Agent
(roles/ ciem.serviceAgent
)
Gives CIEM Service Account permission to access GCP resources
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportResource
resourcemanager. organizations. get
Gemini for Google Cloud Service Agent
(roles/ cloudaicompanion.serviceAgent
)
Gives Gemini for Google Cloud components the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudaicompanion. codeRepositoryIndexes. get
cloudaicompanion. codeRepositoryIndexes. list
cloudaicompanion. repositoryGroups. get
cloudaicompanion. repositoryGroups. getIamPolicy
cloudaicompanion. repositoryGroups. list
cloudbuild.connections.get
cloudbuild. repositories. accessReadToken
cloudbuild. repositories. fetchGitRefs
cloudbuild.repositories.get
cloudbuild.repositories.list
developerconnect. connections. get
developerconnect. gitRepositoryLinks. fetchGitRefs
developerconnect. gitRepositoryLinks. fetchReadToken
developerconnect. gitRepositoryLinks. get
developerconnect. gitRepositoryLinks. list
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
serviceusage.services.use
Effective Policies Service Agent
(roles/ cloudasset.effectivePolicyServiceAgent
)
Give effective policy service account access to search all resources and IAM policies.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
Cloud Asset Service Agent
(roles/ cloudasset.serviceAgent
)
Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
pubsub.topics.publish
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
Cloud Build Logging Service Agent
(roles/ cloudbuild.loggingServiceAgent
)
Gives the Cloud Build logging-specific service account access to write logs.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.buckets.write
Cloud Build Service Agent
(roles/ cloudbuild.serviceAgent
)
Gives Cloud Build service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. aptartifacts. create
artifactregistry. attachments. create
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. packages. update
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. createOnPush
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry. yumartifacts. create
binaryauthorization. attestors. create
binaryauthorization. attestors. delete
binaryauthorization. attestors. get
binaryauthorization. attestors. list
binaryauthorization. attestors. update
binaryauthorization. attestors. verifyImageAttested
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.connections.get
cloudbuild.operations.*
cloudbuild. repositories. accessReadToken
cloudbuild. repositories. accessReadWriteToken
cloudbuild.repositories.get
cloudbuild.repositories.list
cloudbuild.workerpools.use
compute.firewalls.get
compute.firewalls.list
compute.networkAttachments.get
compute. networkAttachments. update
compute.networks.get
compute.regionOperations.get
compute.subnetworks.get
containeranalysis. notes. attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
developerconnect. connections. get
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.logEntries.create
logging.logEntries.list
logging.views.access
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.get
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.get
servicedirectory. endpoints. getIamPolicy
servicedirectory. endpoints. list
servicedirectory.locations.*
servicedirectory. namespaces. get
servicedirectory. namespaces. getIamPolicy
servicedirectory. namespaces. list
servicedirectory. networks. access
servicedirectory.services.get
servicedirectory. services. getIamPolicy
servicedirectory.services.list
servicedirectory. services. resolve
serviceusage.services.use
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Infrastructure Manager Service Agent
(roles/ cloudconfig.serviceAgent
)
Gives Infrastructure Manager service agent access to managed resources
Warning: Do not grant service agent roles to any principals except
service agents .
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
logging.logEntries.create
logging.logEntries.route
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Controls Partner Access Approval Service Agent
(roles/ cloudcontrolspartner.accessApprovalServiceAgent
)
Gives the Partner Console service account access to read Access Approval Requests for workloads associated with a partner.
Warning: Do not grant service agent roles to any principals except
service agents .
accessapproval.requests.get
accessapproval.requests.list
Cloud Controls Partner EKM Service Agent
(roles/ cloudcontrolspartner.ekmServiceAgent
)
Gives Cloud Controls Partner service agent permission to list EKM connections, get EKM connection status, and provide EKM diagnostic information.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudkms.ekmConnections.get
cloudkms. ekmConnections. getIamPolicy
cloudkms.ekmConnections.list
cloudkms. ekmConnections. verifyConnectivity
Cloud Controls Partner Monitoring Service Agent
(roles/ cloudcontrolspartner.monitoringServiceAgent
)
Gives Cloud Controls Partner monitoring service agent permission to view and list Assured Workload violations. The role is assigned to enable partner monitoring capability.
Warning: Do not grant service agent roles to any principals except
service agents .
assuredworkloads. violations. get
assuredworkloads. violations. list
Cloud Controls Partner Support Case Service Agent
(roles/ cloudcontrolspartner.supportCaseServiceAgent
)
Gives the Partner Console service account access to support cases for workloads associated with a partner.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsupport.techCases.get
Cloud Deploy Service Agent
(roles/ clouddeploy.serviceAgent
)
Gives Cloud Deploy Service Account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
logging.logEntries.create
pubsub.topics.get
pubsub.topics.publish
servicemanagement. services. report
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.objects.get
Cloud Deployment Manager Service Agent
(roles/ clouddeploymentmanager.serviceAgent
)
Allows Deployment Manager service to actuate resources across DM projects and folders
Warning: Do not grant service agent roles to any principals except
service agents .
accesscontextmanager. accessLevels. create
accesscontextmanager. accessLevels. delete
accesscontextmanager. accessLevels. get
accesscontextmanager. accessLevels. update
accesscontextmanager. policies. list
accesscontextmanager. servicePerimeters. create
accesscontextmanager. servicePerimeters. delete
accesscontextmanager. servicePerimeters. get
accesscontextmanager. servicePerimeters. update
appengine.applications.get
appengine.operations.get
appengine.services.update
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry. repositories. create
artifactregistry. repositories. delete
artifactregistry. repositories. get
artifactregistry. repositories. update
bigquery.connections.get
bigquery.datasets.create
bigquery.datasets.delete
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.update
bigquery.jobs.create
bigquery.routines.create
bigquery.routines.get
bigquery.routines.update
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.setCategory
bigquery.tables.update
bigquery.tables.updateData
bigtable.instances.create
bigtable.instances.delete
bigtable.instances.get
bigtable.instances.update
bigtable.tables.create
bigtable.tables.delete
bigtable.tables.get
bigtable.tables.update
billing. resourceAssociations. create
billing.resourcebudgets.write
cloudbuild.builds.create
cloudbuild.builds.get
cloudfunctions.functions.call
cloudfunctions. functions. create
cloudfunctions. functions. delete
cloudfunctions.functions.get
cloudfunctions. functions. getIamPolicy
cloudfunctions.functions.list
cloudfunctions. functions. update
cloudfunctions.operations.get
cloudprivatecatalog. targets. get
cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.get
cloudscheduler.jobs.update
cloudsql.backupRuns.create
cloudsql.databases.*
cloudsql.instances.create
cloudsql.instances.delete
cloudsql.instances.get
cloudsql.instances.import
cloudsql.instances.restart
cloudsql.instances.update
cloudsql.sslCerts.create
cloudsql.sslCerts.delete
cloudsql.sslCerts.get
cloudsql.users.create
cloudsql.users.delete
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
compute.addresses.create
compute. addresses. createInternal
compute.addresses.delete
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.update
compute.backendBuckets.create
compute.backendBuckets.delete
compute.backendBuckets.get
compute.backendBuckets.update
compute.backendBuckets.use
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute. backendServices. setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute. disks. addResourcePolicies
compute.disks.create
compute.disks.delete
compute.disks.get
compute. disks. removeResourcePolicies
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute. externalVpnGateways. create
compute. externalVpnGateways. delete
compute. externalVpnGateways. get
compute. externalVpnGateways. setLabels
compute. externalVpnGateways. use
compute. firewallPolicies. create
compute. firewallPolicies. delete
compute.firewallPolicies.get
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute. forwardingRules. pscCreate
compute. forwardingRules. pscSetLabels
compute. forwardingRules. setLabels
compute. forwardingRules. setTarget
compute.forwardingRules.update
compute.forwardingRules.use
compute.globalAddresses.create
compute. globalAddresses. createInternal
compute.globalAddresses.delete
compute. globalAddresses. deleteInternal
compute.globalAddresses.get
compute. globalAddresses. setLabels
compute.globalAddresses.use
compute. globalForwardingRules. create
compute. globalForwardingRules. delete
compute. globalForwardingRules. get
compute. globalForwardingRules. pscCreate
compute. globalForwardingRules. pscDelete
compute. globalForwardingRules. pscSetLabels
compute. globalForwardingRules. setLabels
compute. globalNetworkEndpointGroups. attachNetworkEndpoints
compute. globalNetworkEndpointGroups. create
compute. globalNetworkEndpointGroups. delete
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. use
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.update
compute.healthChecks.use
compute. healthChecks. useReadOnly
compute. httpHealthChecks. create
compute. httpHealthChecks. delete
compute.httpHealthChecks.get
compute. httpHealthChecks. update
compute.httpHealthChecks.use
compute. httpHealthChecks. useReadOnly
compute. httpsHealthChecks. create
compute. httpsHealthChecks. delete
compute.httpsHealthChecks.get
compute. httpsHealthChecks. update
compute.httpsHealthChecks.use
compute. httpsHealthChecks. useReadOnly
compute.images.create
compute.images.delete
compute.images.deprecate
compute.images.get
compute.images.setLabels
compute.images.useReadOnly
compute. instanceGroupManagers. create
compute. instanceGroupManagers. delete
compute. instanceGroupManagers. get
compute. instanceGroupManagers. update
compute. instanceGroupManagers. use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceGroups.use
compute. instanceTemplates. create
compute. instanceTemplates. delete
compute.instanceTemplates.get
compute. instanceTemplates. useReadOnly
compute. instances. addAccessConfig
compute.instances.create
compute.instances.delete
compute. instances. deleteAccessConfig
compute.instances.get
compute. instances. listTagBindings
compute.instances.resume
compute. instances. setDeletionProtection
compute. instances. setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute. instances. updateDisplayDevice
compute.instances.use
compute. interconnectAttachments. create
compute. interconnectAttachments. delete
compute. interconnectAttachments. get
compute. interconnectAttachments. setLabels
compute. interconnectAttachments. update
compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute. interconnects. setLabels
compute.interconnects.use
compute. machineImages. useReadOnly
compute.machineTypes.get
compute. networkEndpointGroups. attachNetworkEndpoints
compute. networkEndpointGroups. create
compute. networkEndpointGroups. delete
compute. networkEndpointGroups. get
compute. networkEndpointGroups. use
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute. networks. listPeeringRoutes
compute.networks.removePeering
compute. networks. switchToCustomMode
compute.networks.update
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute. organizations. disableXpnResource
compute. organizations. enableXpnHost
compute. organizations. enableXpnResource
compute. packetMirrorings. create
compute. packetMirrorings. delete
compute.packetMirrorings.get
compute.projects.get
compute. projects. setUsageExportBucket
compute. regionBackendServices. create
compute. regionBackendServices. delete
compute. regionBackendServices. get
compute. regionBackendServices. update
compute. regionBackendServices. use
compute. regionHealthChecks. create
compute. regionHealthChecks. delete
compute.regionHealthChecks.get
compute. regionHealthChecks. update
compute.regionHealthChecks.use
compute. regionHealthChecks. useReadOnly
compute. regionNetworkEndpointGroups. create
compute. regionNetworkEndpointGroups. delete
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. use
compute.regionOperations.get
compute. regionSslCertificates. create
compute. regionSslCertificates. delete
compute. regionSslCertificates. get
compute. regionTargetHttpProxies. create
compute. regionTargetHttpProxies. delete
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. use
compute. regionTargetHttpsProxies. create
compute. regionTargetHttpsProxies. delete
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.use
compute.regions.get
compute.reservations.list
compute. resourcePolicies. create
compute. resourcePolicies. delete
compute.resourcePolicies.get
compute.resourcePolicies.use
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.update
compute.routers.use
compute.routes.create
compute.routes.delete
compute.routes.get
compute. securityPolicies. create
compute. securityPolicies. delete
compute.securityPolicies.get
compute. securityPolicies. setLabels
compute. securityPolicies. update
compute.securityPolicies.use
compute. serviceAttachments. create
compute.serviceAttachments.get
compute.snapshots.useReadOnly
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.use
compute.subnetworks.create
compute.subnetworks.delete
compute. subnetworks. expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.mirror
compute.subnetworks.update
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute. targetHttpProxies. create
compute. targetHttpProxies. delete
compute.targetHttpProxies.get
compute.targetHttpProxies.use
compute. targetHttpsProxies. create
compute. targetHttpsProxies. delete
compute.targetHttpsProxies.get
compute. targetHttpsProxies. setSslCertificates
compute. targetHttpsProxies. setSslPolicy
compute.targetHttpsProxies.use
compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get
compute.targetInstances.use
compute. targetPools. addHealthCheck
compute. targetPools. addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute. targetPools. removeHealthCheck
compute. targetPools. removeInstance
compute.targetPools.use
compute. targetSslProxies. create
compute. targetSslProxies. delete
compute.targetSslProxies.get
compute. targetSslProxies. setSslCertificates
compute.targetSslProxies.use
compute. targetTcpProxies. create
compute. targetTcpProxies. delete
compute.targetTcpProxies.get
compute.targetTcpProxies.use
compute. targetVpnGateways. create
compute. targetVpnGateways. delete
compute.targetVpnGateways.get
compute. targetVpnGateways. setLabels
compute.targetVpnGateways.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.update
compute.urlMaps.use
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.setLabels
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
compute.vpnTunnels.setLabels
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.get
container. backendConfigs. create
container. backendConfigs. delete
container.backendConfigs.get
container. clusterRoleBindings. create
container. clusterRoleBindings. delete
container. clusterRoleBindings. get
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container. clusterRoles. escalate
container.clusterRoles.get
container.clusters.create
container.clusters.delete
container.clusters.get
container. clusters. getCredentials
container.clusters.update
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.update
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.update
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.update
container. frontendConfigs. create
container. frontendConfigs. delete
container.frontendConfigs.get
container. horizontalPodAutoscalers. create
container. horizontalPodAutoscalers. delete
container. horizontalPodAutoscalers. get
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.jobs.create
container.jobs.delete
container.jobs.get
container. managedCertificates. create
container. managedCertificates. delete
container. managedCertificates. get
container. mutatingWebhookConfigurations. delete
container. mutatingWebhookConfigurations. get
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container. networkPolicies. create
container. networkPolicies. delete
container.networkPolicies.get
container.operations.get
container. podDisruptionBudgets. create
container. podDisruptionBudgets. delete
container. podDisruptionBudgets. get
container. podSecurityPolicies. delete
container. podSecurityPolicies. get
container. priorityClasses. create
container. priorityClasses. delete
container.priorityClasses.get
container. replicationControllers. create
container. replicationControllers. delete
container. replicationControllers. get
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.get
container.roles.update
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.update
container. serviceAccounts. create
container. serviceAccounts. delete
container.serviceAccounts.get
container. serviceAccounts. update
container.services.create
container.services.delete
container.services.get
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container.statefulSets.update
container. storageClasses. create
container. storageClasses. delete
container.storageClasses.get
container. thirdPartyObjects. create
container. thirdPartyObjects. delete
container. thirdPartyObjects. get
container. thirdPartyObjects. update
container. validatingWebhookConfigurations. delete
container. validatingWebhookConfigurations. get
datacatalog.taxonomies.get
dataproc. autoscalingPolicies. create
dataproc. autoscalingPolicies. delete
dataproc. autoscalingPolicies. get
dataproc. autoscalingPolicies. use
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.nodeGroups.create
dataproc.operations.get
dataproc. workflowTemplates. create
dataproc. workflowTemplates. delete
dataproc.workflowTemplates.get
deploymentmanager. compositeTypes. get
deploymentmanager. deployments. create
deploymentmanager. deployments. delete
deploymentmanager. deployments. get
deploymentmanager. deployments. update
deploymentmanager. operations. get
deploymentmanager. typeProviders. create
deploymentmanager. typeProviders. delete
deploymentmanager. typeProviders. get
deploymentmanager. typeProviders. update
dns.changes.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
dns. networks. bindPrivateDNSZone
dns. networks. targetWithPeeringZone
dns.policies.delete
dns.policies.get
dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.list
dns.resourceRecordSets.update
file.instances.create
file.instances.delete
file.instances.get
file.instances.update
file.operations.get
firebase.projects.get
firebase.projects.update
firebaseanalytics. resources. googleAnalyticsEdit
iam.roles.create
iam.roles.delete
iam.roles.get
iam.roles.list
iam.roles.update
iam.serviceAccountKeys.delete
iam.serviceAccountKeys.get
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.update
logging.buckets.update
logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.update
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
logging. notificationRules. create
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.update
monitoring.alertPolicies.*
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.update
monitoring. metricDescriptors. create
monitoring. metricDescriptors. delete
monitoring. metricDescriptors. get
monitoring. notificationChannels. create
monitoring. notificationChannels. delete
monitoring. notificationChannels. get
monitoring. notificationChannels. update
monitoring. uptimeCheckConfigs. create
monitoring. uptimeCheckConfigs. delete
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. update
networksecurity. serverTlsPolicies. use
pubsub.schemas.attach
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.publish
pubsub.topics.update
redis.instances.create
redis.instances.delete
redis.instances.get
redis.instances.update
redis.instances.updateAuth
redis.operations.get
resourcemanager.folders.create
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager. folders. getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.update
resourcemanager. organizations. getIamPolicy
resourcemanager. projects. create
resourcemanager. projects. createBillingAssignment
resourcemanager. projects. delete
resourcemanager. projects. deleteBillingAssignment
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager. projects. update
resourcemanager. projects. updateLiens
resourcemanager. tagHolds. create
resourcemanager. tagHolds. delete
resourcemanager. tagValueBindings.*
resourcemanager.tagValues.get
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
servicedirectory. namespaces. associatePrivateZone
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicemanagement. services. bind
servicenetworking. operations. get
servicenetworking. services. addPeering
servicenetworking.services.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
source.repos.create
spanner.databaseOperations.get
spanner.databases.create
spanner.databases.drop
spanner.databases.get
spanner.databases.updateDdl
spanner.instanceOperations.get
spanner.instances.create
spanner.instances.delete
spanner.instances.get
spanner.instances.update
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.update
storage.hmacKeys.create
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
vpcaccess.connectors.create
vpcaccess.connectors.delete
vpcaccess.operations.get
workflows.operations.get
workflows.workflows.create
workflows.workflows.delete
workflows.workflows.get
Cloud Functions Service Agent
(roles/ cloudfunctions.serviceAgent
)
Gives Cloud Functions service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. aptartifacts. create
artifactregistry.attachments.*
artifactregistry. dockerimages.*
artifactregistry.files.*
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry. projectsettings.*
artifactregistry. pythonpackages.*
artifactregistry. repositories. create
artifactregistry. repositories. createTagBinding
artifactregistry. repositories. delete
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. deleteTagBinding
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. getIamPolicy
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. setIamPolicy
artifactregistry. repositories. update
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry. yumartifacts. create
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudbuild.workerpools.use
cloudfunctions.functions.get
cloudfunctions. functions. invoke
cloudfunctions.functions.list
cloudfunctions.operations.*
compute.globalOperations.get
compute.networks.access
eventarc. channelConnections. create
eventarc. channelConnections. delete
eventarc. channelConnections. get
eventarc. channelConnections. getIamPolicy
eventarc. channelConnections. list
eventarc. channelConnections. publish
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc. enrollments. getIamPolicy
eventarc.enrollments.list
eventarc.enrollments.update
eventarc. googleApiSources. create
eventarc. googleApiSources. delete
eventarc.googleApiSources.get
eventarc. googleApiSources. getIamPolicy
eventarc.googleApiSources.list
eventarc. googleApiSources. update
eventarc. googleChannelConfigs.*
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc. pipelines. getIamPolicy
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
firebasedatabase.instances.get
firebasedatabase. instances. update
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam.serviceAccounts.signBlob
pubsub.subscriptions.*
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
recommender.locations.*
recommender. runServiceCostInsights.*
recommender. runServiceCostRecommendations.*
recommender. runServiceIdentityInsights.*
recommender. runServiceIdentityRecommendations.*
recommender. runServicePerformanceInsights.*
recommender. runServicePerformanceRecommendations.*
recommender. runServiceSecurityInsights.*
recommender. runServiceSecurityRecommendations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use
Cloud IoT Core Service Agent
(roles/ cloudiot.serviceAgent
)
Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
pubsub.topics.publish
Cloud KMS Organization Service Agent
(roles/ cloudkms.orgServiceAgent
)
Gives Cloud KMS organization-level service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. searchAllResources
Cloud KMS Service Agent
(roles/ cloudkms.serviceAgent
)
Gives Cloud KMS service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. listCloudkmsCryptoKeys
Cloud KMS KACLS Service Agent
(roles/ cloudkmskacls.serviceAgent
)
Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudkms. cryptoKeyVersions. useToDecrypt
cloudkms. cryptoKeyVersions. useToEncrypt
cloudkms.cryptoKeys.get
Cloud Optimization Service Agent
(roles/ cloudoptimization.serviceAgent
)
Grants Cloud Optimization Service Account access to read and write data in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Scheduler Service Agent
(roles/ cloudscheduler.serviceAgent
)
Grants Cloud Scheduler Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
logging.logEntries.create
logging.logEntries.route
pubsub.topics.publish
Cloud SQL Service Agent
(roles/ cloudsql.serviceAgent
)
Grants Cloud SQL access to services and APIs in the user project
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.get
Cloud Tasks Service Agent
(roles/ cloudtasks.serviceAgent
)
Grants Cloud Tasks Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
logging.logEntries.create
Cloud TPU V2 API Service Agent
(roles/ cloudtpu.serviceAgent
)
Give Cloud TPUs service account access to managed resources
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewallPolicies.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.firewalls.update
compute.forwardingRules.*
compute.globalAddresses.*
compute. globalForwardingRules.*
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. delete
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute. globalPublicDelegatedPrefixes. updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments.*
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. publicDelegatedPrefixes. delete
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. publicDelegatedPrefixes. update
compute. publicDelegatedPrefixes. updatePolicy
compute. regionBackendServices.*
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionFirewallPolicies. use
compute. regionHealthCheckServices.*
compute.regionHealthChecks.*
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSecurityPolicies. use
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.*
compute. regionTargetHttpProxies.*
compute. regionTargetHttpsProxies.*
compute. regionTargetTcpProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.*
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
networkconnectivity. internalRanges.*
networkconnectivity. locations.*
networkconnectivity. operations.*
networkconnectivity. policyBasedRoutes.*
networkconnectivity. regionalEndpoints.*
networkconnectivity. serviceClasses.*
networkconnectivity. serviceConnectionMaps.*
networkconnectivity. serviceConnectionPolicies.*
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups.*
networksecurity. authorizationPolicies.*
networksecurity. authzPolicies.*
networksecurity. clientTlsPolicies.*
networksecurity. firewallEndpointAssociations.*
networksecurity. firewallEndpoints.*
networksecurity. gatewaySecurityPolicies.*
networksecurity. gatewaySecurityPolicyRules.*
networksecurity.locations.*
networksecurity.operations.*
networksecurity. securityProfileGroups.*
networksecurity. securityProfiles.*
networksecurity. serverTlsPolicies.*
networksecurity. tlsInspectionPolicies.*
networksecurity.urlLists.*
networkservices.*
pubsub.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
servicenetworking. operations. get
servicenetworking. services. addPeering
servicenetworking. services. createPeeredDnsDomain
servicenetworking. services. deleteConnection
servicenetworking. services. deletePeeredDnsDomain
servicenetworking. services. disableVpcServiceControls
servicenetworking. services. enableVpcServiceControls
servicenetworking.services.get
servicenetworking. services. listPeeredDnsDomains
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Cloud Translation API Service Agent
(roles/ cloudtranslate.serviceAgent
)
Gives Cloud Translation Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.models.get
automl.models.list
automl.operations.get
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Compliance Scanning Service Agent
(roles/ compliancescanning.serviceAgent
)
Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.get
compute. instances. getGuestAttributes
compute.instances.list
compute.zones.*
containeranalysis. notes. attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Cloud Composer API Service Agent
(roles/ composer.serviceAgent
)
Cloud Composer API service agent can manage environments.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
appengine. applications. listRuntimes
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry. projectsettings. get
artifactregistry. repositories. create
artifactregistry. repositories. delete
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. update
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
cloudaicompanion.companions.*
cloudaicompanion. entitlements. get
cloudaicompanion. instances. completeCode
cloudaicompanion. instances. generateCode
cloudnotifications. activities. list
cloudsql.*
composer.dags.get
composer.environments.get
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute. globalForwardingRules.*
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. delete
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute. globalPublicDelegatedPrefixes. updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments.*
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. publicDelegatedPrefixes. delete
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. publicDelegatedPrefixes. update
compute. publicDelegatedPrefixes. updatePolicy
compute. regionBackendServices.*
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionFirewallPolicies. use
compute. regionHealthCheckServices.*
compute.regionHealthChecks.*
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSecurityPolicies. use
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.*
compute. regionTargetHttpProxies.*
compute. regionTargetHttpsProxies.*
compute. regionTargetTcpProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.*
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.*
deploymentmanager. compositeTypes.*
deploymentmanager. deployments. cancelPreview
deploymentmanager. deployments. create
deploymentmanager. deployments. delete
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager. deployments. stop
deploymentmanager. deployments. update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager. typeProviders.*
deploymentmanager.types.*
dns.managedZones.get
dns.managedZones.list
dns. networks. targetWithPeeringZone
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam.serviceAccounts.list
logging.buckets.create
logging. buckets. createTagBinding
logging.buckets.delete
logging. buckets. deleteTagBinding
logging.buckets.get
logging.buckets.list
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.links.*
logging.locations.*
logging.logEntries.create
logging.logEntries.route
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
networkconnectivity. internalRanges.*
networkconnectivity. locations.*
networkconnectivity. operations.*
networkconnectivity. policyBasedRoutes.*
networkconnectivity. regionalEndpoints.*
networkconnectivity. serviceClasses.*
networkconnectivity. serviceConnectionMaps.*
networkconnectivity. serviceConnectionPolicies.*
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups.*
networksecurity. authorizationPolicies.*
networksecurity. authzPolicies.*
networksecurity. clientTlsPolicies.*
networksecurity. firewallEndpointAssociations.*
networksecurity. firewallEndpoints.*
networksecurity. gatewaySecurityPolicies.*
networksecurity. gatewaySecurityPolicyRules.*
networksecurity.locations.*
networksecurity.operations.*
networksecurity. securityProfileGroups.*
networksecurity. securityProfiles.*
networksecurity. serverTlsPolicies.*
networksecurity. tlsInspectionPolicies.*
networksecurity.urlLists.*
networkservices.*
observability.scopes.get
opsconfigmonitoring. resourceMetadata. list
orgpolicy.policy.get
pubsub.*
recommender. cloudsqlIdleInstanceRecommendations.*
recommender. cloudsqlInstanceActivityInsights.*
recommender. cloudsqlInstanceCpuUsageInsights.*
recommender. cloudsqlInstanceDiskUsageTrendInsights.*
recommender. cloudsqlInstanceMemoryUsageInsights.*
recommender. cloudsqlInstanceOomProbabilityInsights.*
recommender. cloudsqlInstanceOutOfDiskRecommendations.*
recommender. cloudsqlInstancePerformanceInsights.*
recommender. cloudsqlInstancePerformanceRecommendations.*
recommender. cloudsqlInstanceReliabilityInsights.*
recommender. cloudsqlInstanceReliabilityRecommendations.*
recommender. cloudsqlInstanceSecurityInsights.*
recommender. cloudsqlInstanceSecurityRecommendations.*
recommender. cloudsqlInstanceUnderprovisionedCpuUsageInsights.*
recommender. cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*
recommender. cloudsqlOverprovisionedInstanceRecommendations.*
recommender. cloudsqlUnderProvisionedInstanceRecommendations.*
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
servicenetworking. operations. get
servicenetworking. services. addPeering
servicenetworking. services. createPeeredDnsDomain
servicenetworking. services. deleteConnection
servicenetworking. services. deletePeeredDnsDomain
servicenetworking. services. disableVpcServiceControls
servicenetworking. services. enableVpcServiceControls
servicenetworking.services.get
servicenetworking. services. listPeeredDnsDomains
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
stackdriver. resourceMetadata. list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*
Instance Group Manager Service Agent
(roles/ compute.instanceGroupManagerServiceAgent
)
Role containing all permissions required by Managed Instance Groups to create and manage instances.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.*
compute. disks. addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. disks. removeResourcePolicies
compute.disks.resize
compute.disks.setLabels
compute. disks. startAsyncReplication
compute. disks. stopAsyncReplication
compute. disks. stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalOperations.get
compute.healthChecks.get
compute.httpHealthChecks.get
compute.httpsHealthChecks.get
compute.images.useReadOnly
compute.instanceGroups.update
compute. instanceTemplates. useReadOnly
compute. instances. addAccessConfig
compute. instances. addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute. instances. deleteAccessConfig
compute. instances. deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute. instances. pscInterfaceCreate
compute. instances. removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute. instances. sendDiagnosticInterrupt
compute. instances. setDeletionProtection
compute. instances. setDiskAutoDelete
compute.instances.setLabels
compute. instances. setMachineResources
compute. instances. setMachineType
compute.instances.setMetadata
compute. instances. setMinCpuPlatform
compute.instances.setName
compute. instances. setScheduling
compute. instances. setSecurityPolicy
compute. instances. setServiceAccount
compute. instances. setShieldedInstanceIntegrityPolicy
compute. instances. setShieldedVmIntegrityPolicy
compute.instances.setTags
compute. instances. simulateMaintenanceEvent
compute.instances.start
compute. instances. startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute. instances. updateAccessConfig
compute. instances. updateDisplayDevice
compute. instances. updateNetworkInterface
compute. instances. updateSecurity
compute. instances. updateShieldedInstanceConfig
compute. instances. updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.resourcePolicies.use
compute.snapshots.useReadOnly
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute. targetPools. addInstance
compute. targetPools. removeInstance
compute.zoneOperations.get
iam.serviceAccounts.actAs
Compute Engine Service Agent
(roles/ compute.serviceAgent
)
Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudnotifications. activities. list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createTagBinding
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.images.useReadOnly
compute. instanceGroupManagers. get
compute. instanceTemplates. useReadOnly
compute.instances.create
compute. instances. createTagBinding
compute. instances. setDeletionProtection
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute. instances. updateDisplayDevice
compute. machineImages. useReadOnly
compute.networks.use
compute.networks.useExternalIp
compute.resourcePolicies.use
compute.snapshots.useReadOnly
compute.subnetworks.use
compute. subnetworks. useExternalIp
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam. serviceAccounts. implicitDelegation
iam.serviceAccounts.signJwt
logging.logEntries.create
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
opsconfigmonitoring. resourceMetadata. list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver. resourceMetadata. list
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Config Delivery Service Agent
(roles/ configdelivery.serviceAgent
)
Gives the Config Delivery service account permission to manage resources
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. dockerimages.*
artifactregistry. projectsettings. get
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. getIamPolicy
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. setIamPolicy
artifactregistry. repositories. uploadArtifacts
artifactregistry.tags.*
artifactregistry. versions. delete
artifactregistry.versions.get
artifactregistry.versions.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.repositories.get
container. customResourceDefinitions. get
container. customResourceDefinitions. list
container.serviceAccounts.get
container.serviceAccounts.list
container.thirdPartyObjects.*
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
iam.serviceAccounts.actAs
Connectors Platform Service Agent
(roles/ connectors.serviceAgent
)
Grants Connectors Platform service account to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
connectors.actions.list
connectors.connections.get
connectors. connections. getConnectionSchemaMetadata
connectors.connections.list
connectors.connectors.*
connectors. customConnectorVersions. get
connectors. customConnectorVersions. list
connectors. customConnectors. get
connectors. customConnectors. list
connectors. endpointAttachments. get
connectors. endpointAttachments. list
connectors.entities.get
connectors.entityTypes.list
connectors. eventSubscriptions. get
connectors. eventSubscriptions. list
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.get
connectors.managedZones.list
connectors.providers.*
connectors.runtimeconfig.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam. serviceAccounts. implicitDelegation
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
(roles/ contactcenterinsights.serviceAgent
)
Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
datalabeling.dataitems.*
datalabeling.datasets.create
datalabeling.datasets.delete
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.import
datalabeling.operations.get
datalabeling.operations.list
dialogflow. conversationDatasets.*
dialogflow. conversationModels.*
dialogflow. conversationProfiles. get
dialogflow.documents.*
dialogflow.operations.get
dialogflow. participants. suggest
dialogflow. sessions. detectIntent
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.kms.encrypt
dlp.locations.*
pubsub.topics.get
pubsub.topics.publish
serviceusage.services.use
speech.customClasses.get
speech.operations.get
speech.phraseSets.get
speech.recognizers.create
speech.recognizers.get
speech.recognizers.recognize
speech.recognizers.update
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Kubernetes Engine Node Service Agent
(roles/ container.nodeServiceAgent
)
Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls.
Warning: Do not grant service agent roles to any principals except
service agents .
autoscaling.sites.writeMetrics
logging.logEntries.create
monitoring. metricDescriptors. create
monitoring. metricDescriptors. list
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
storage.objects.get
storage.objects.list
Kubernetes Engine Service Agent
(roles/ container.serviceAgent
)
Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
autoscaling. sites. readRecommendations
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
bigquery.datasets.create
bigquery.datasets.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
binaryauthorization. policy. evaluatePolicy
certificatemanager. certmapentries.*
certificatemanager.certmaps.*
certificatemanager.certs.*
certificatemanager. dnsauthorizations.*
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.*
compute.firewalls.*
compute.forwardingRules.*
compute.globalAddresses.*
compute. globalForwardingRules.*
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. delete
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute. globalPublicDelegatedPrefixes. updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments.*
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.*
compute.nodeGroups.get
compute.packetMirrorings.*
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. publicDelegatedPrefixes. delete
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. publicDelegatedPrefixes. update
compute. publicDelegatedPrefixes. updatePolicy
compute. regionBackendServices.*
compute. regionFirewallPolicies.*
compute. regionHealthCheckServices.*
compute.regionHealthChecks.*
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute. regionSecurityPolicies.*
compute. regionSslCertificates.*
compute.regionSslPolicies.*
compute. regionTargetHttpProxies.*
compute. regionTargetHttpsProxies.*
compute. regionTargetTcpProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.*
compute.serviceAttachments.*
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.*
compute.sslPolicies.*
compute.storagePools.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.*
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
file.*
iam.serviceAccounts.actAs
iam.serviceAccounts.get
logging.logEntries.create
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring.timeSeries.*
networkconnectivity. internalRanges.*
networkconnectivity. locations.*
networkconnectivity. operations.*
networkconnectivity. policyBasedRoutes.*
networkconnectivity. regionalEndpoints.*
networkconnectivity. serviceClasses.*
networkconnectivity. serviceConnectionMaps.*
networkconnectivity. serviceConnectionPolicies.*
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups.*
networksecurity. authorizationPolicies.*
networksecurity. authzPolicies.*
networksecurity. clientTlsPolicies.*
networksecurity. firewallEndpointAssociations.*
networksecurity. firewallEndpoints.*
networksecurity. gatewaySecurityPolicies.*
networksecurity. gatewaySecurityPolicyRules.*
networksecurity.locations.*
networksecurity.operations.*
networksecurity. securityProfileGroups.*
networksecurity. securityProfiles.*
networksecurity. serverTlsPolicies.*
networksecurity. tlsInspectionPolicies.*
networksecurity.urlLists.*
networkservices.*
parallelstore.instances.create
parallelstore.instances.delete
parallelstore.instances.get
parallelstore. instances. importData
parallelstore.instances.list
parallelstore.instances.update
parallelstore.locations.*
parallelstore.operations.*
pubsub.topics.create
pubsub.topics.get
pubsub.topics.publish
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
servicenetworking. operations. get
servicenetworking. services. addPeering
servicenetworking. services. createPeeredDnsDomain
servicenetworking. services. deleteConnection
servicenetworking. services. deletePeeredDnsDomain
servicenetworking. services. disableVpcServiceControls
servicenetworking. services. enableVpcServiceControls
servicenetworking.services.get
servicenetworking. services. listPeeredDnsDomains
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
tpu.locations.*
tpu.nodes.create
tpu.nodes.delete
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
trafficdirector.*
Container Analysis Service Agent
(roles/ containeranalysis.ServiceAgent
)
Gives Container Analysis API the access it needs to function
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
containeranalysis.notes.list
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub. topics. detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
Container Registry Service Agent
(roles/ containerregistry.ServiceAgent
)
Access for Container Registry
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Container Scanner Service Agent
(roles/ containerscanning.ServiceAgent
)
Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
containeranalysis.notes.list
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Container Threat Detection Service Agent
(roles/ containerthreatdetection.serviceAgent
)
Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.
Warning: Do not grant service agent roles to any principals except
service agents .
container.apiServices.get
container. apiServices. getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container. certificateSigningRequests. get
container. certificateSigningRequests. getStatus
container. certificateSigningRequests. list
container. clusterRoleBindings.*
container.clusterRoles.*
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container. controllerRevisions. get
container. controllerRevisions. list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container. customResourceDefinitions. create
container. customResourceDefinitions. delete
container. customResourceDefinitions. get
container. customResourceDefinitions. getStatus
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container.daemonSets.*
container.deployments.get
container.deployments.getScale
container. deployments. getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container. horizontalPodAutoscalers. get
container. horizontalPodAutoscalers. getStatus
container. horizontalPodAutoscalers. list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container. initializerConfigurations. get
container. initializerConfigurations. list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container. managedCertificates. get
container. managedCertificates. list
container. mutatingWebhookConfigurations. get
container. mutatingWebhookConfigurations. list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container. networkPolicies. update
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container. persistentVolumeClaims. get
container. persistentVolumeClaims. getStatus
container. persistentVolumeClaims. list
container. persistentVolumes. get
container. persistentVolumes. getStatus
container. persistentVolumes. list
container.petSets.get
container.petSets.list
container. podDisruptionBudgets. get
container. podDisruptionBudgets. getStatus
container. podDisruptionBudgets. list
container.podPresets.get
container.podPresets.list
container. podSecurityPolicies. get
container. podSecurityPolicies. list
container.podTemplates.get
container.podTemplates.list
container.pods.attach
container.pods.create
container.pods.delete
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.list
container.pods.portForward
container.pods.update
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container. replicaSets. getStatus
container.replicaSets.list
container. replicationControllers. get
container. replicationControllers. getScale
container. replicationControllers. getStatus
container. replicationControllers. list
container.resourceQuotas.get
container. resourceQuotas. getStatus
container.resourceQuotas.list
container.roleBindings.*
container.roles.*
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.secrets.create
container.secrets.delete
container.secrets.list
container.secrets.update
container. serviceAccounts. create
container. serviceAccounts. delete
container.serviceAccounts.get
container.serviceAccounts.list
container. serviceAccounts. update
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container. statefulSets. getScale
container. statefulSets. getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container. storageStates. getStatus
container.storageStates.list
container. storageVersionMigrations. get
container. storageVersionMigrations. getStatus
container. storageVersionMigrations. list
container. thirdPartyObjects. get
container. thirdPartyObjects. list
container. thirdPartyResources. get
container. thirdPartyResources. list
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container. validatingWebhookConfigurations. get
container. validatingWebhookConfigurations. list
container. volumeAttachments. get
container. volumeAttachments. getStatus
container. volumeAttachments. list
container. volumeSnapshotClasses. get
container. volumeSnapshotClasses. list
container. volumeSnapshotContents. get
container. volumeSnapshotContents. getStatus
container. volumeSnapshotContents. list
container.volumeSnapshots.get
container.volumeSnapshots.list
recommender. containerDiagnosisInsights. get
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisRecommendations. get
recommender. containerDiagnosisRecommendations. list
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Service Agent
(roles/ contentwarehouse.serviceAgent
)
Gives the Content Warehouse service account to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
cloudfunctions. functions. invoke
documentai. datasets. createDocuments
documentai.processors.get
documentai. processors. processBatch
pubsub.topics.publish
pubsublite.topics.publish
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Data Connectors Service Agent
(roles/ dataconnectors.serviceAgent
)
Gives Data Connectors service agent permission to access the virtual private cloud
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.access
vpcaccess.connectors.get
vpcaccess.connectors.use
Cloud Dataflow Service Agent
(roles/ dataflow.serviceAgent
)
Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery. reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery. rowAccessPolicies. create
bigquery. rowAccessPolicies. delete
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. overrideTimeTravelRestrictions
bigquery. rowAccessPolicies. setIamPolicy
bigquery. rowAccessPolicies. update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration. translation. translate
clouddebugger.breakpoints.list
clouddebugger. breakpoints. listActive
clouddebugger. breakpoints. update
clouddebugger.debuggees.create
cloudnotifications. activities. list
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute. globalForwardingRules.*
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. delete
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute. globalPublicDelegatedPrefixes. updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments.*
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicDelegatedPrefixes. delete
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. publicDelegatedPrefixes. update
compute. publicDelegatedPrefixes. updatePolicy
compute. regionBackendServices.*
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionFirewallPolicies. use
compute. regionHealthCheckServices.*
compute.regionHealthChecks.*
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSecurityPolicies. use
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.*
compute. regionTargetHttpProxies.*
compute. regionTargetHttpsProxies.*
compute. regionTargetTcpProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.*
compute.storagePools.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
dataform.*
dataplex.projects.search
dns. networks. targetWithPeeringZone
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.buckets.create
logging. buckets. createTagBinding
logging.buckets.delete
logging. buckets. deleteTagBinding
logging.buckets.get
logging.buckets.list
logging. buckets. listEffectiveTags
logging. buckets. listTagBindings
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.links.*
logging.locations.*
logging.logEntries.create
logging.logEntries.route
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
networkconnectivity. internalRanges.*
networkconnectivity. locations.*
networkconnectivity. operations.*
networkconnectivity. policyBasedRoutes.*
networkconnectivity. regionalEndpoints.*
networkconnectivity. serviceClasses.*
networkconnectivity. serviceConnectionMaps.*
networkconnectivity. serviceConnectionPolicies.*
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups.*
networksecurity. authorizationPolicies.*
networksecurity. authzPolicies.*
networksecurity. clientTlsPolicies.*
networksecurity. firewallEndpointAssociations.*
networksecurity. firewallEndpoints.*
networksecurity. gatewaySecurityPolicies.*
networksecurity. gatewaySecurityPolicyRules.*
networksecurity.locations.*
networksecurity.operations.*
networksecurity. securityProfileGroups.*
networksecurity. securityProfiles.*
networksecurity. serverTlsPolicies.*
networksecurity. tlsInspectionPolicies.*
networksecurity.urlLists.*
networkservices.*
observability.scopes.get
opsconfigmonitoring. resourceMetadata. list
orgpolicy.policy.get
pubsub.*
recommender. dataflowDiagnosticsInsights.*
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
servicenetworking. operations. get
servicenetworking. services. addPeering
servicenetworking. services. createPeeredDnsDomain
servicenetworking. services. deleteConnection
servicenetworking. services. deletePeeredDnsDomain
servicenetworking. services. disableVpcServiceControls
servicenetworking. services. enableVpcServiceControls
servicenetworking.services.get
servicenetworking. services. listPeeredDnsDomains
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
stackdriver.projects.get
stackdriver. resourceMetadata. list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*
(roles/ dataform.serviceAgent
)
Gives permission for the Dataform API to access a secret from Secret Manager
Warning: Do not grant service agent roles to any principals except
service agents .
dataform. compilationResults. create
dataform. workflowInvocations. create
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion API Service Agent
(roles/ datafusion.serviceAgent
)
Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.create
bigquery.models.*
bigquery.routines.*
bigquery. rowAccessPolicies. create
bigquery. rowAccessPolicies. delete
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. setIamPolicy
bigquery. rowAccessPolicies. update
bigquery.tables.*
bigtable.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute.globalOperations.get
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instances.get
compute. instances. getGuestAttributes
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.machineTypes.*
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkAttachments. update
compute.networkProfiles.*
compute.networks.addPeering
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.networks.removePeering
compute.networks.update
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zones.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataproc. autoscalingPolicies. create
dataproc. autoscalingPolicies. delete
dataproc. autoscalingPolicies. get
dataproc. autoscalingPolicies. list
dataproc. autoscalingPolicies. update
dataproc. autoscalingPolicies. use
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc. batches. sparkApplicationRead
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc. sessions. sparkApplicationRead
dataproc.sessions.terminate
dataproc. workflowTemplates. create
dataproc. workflowTemplates. delete
dataproc.workflowTemplates.get
dataproc. workflowTemplates. instantiate
dataproc. workflowTemplates. instantiateInline
dataproc. workflowTemplates. list
dataproc. workflowTemplates. update
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns. networks. bindPrivateDNSZone
dns. networks. targetWithPeeringZone
firebase.projects.get
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.*
networkconnectivity. internalRanges. get
networkconnectivity. internalRanges. list
networkconnectivity. locations.*
networkconnectivity. operations. get
networkconnectivity. operations. list
networkconnectivity. policyBasedRoutes. get
networkconnectivity. policyBasedRoutes. list
networkmanagement. connectivitytests. get
networkmanagement. connectivitytests. list
networksecurity. addressGroups. get
networksecurity. addressGroups. list
networksecurity. authorizationPolicies. get
networksecurity. authorizationPolicies. list
networksecurity. authzPolicies. get
networksecurity. authzPolicies. list
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. list
networksecurity. firewallEndpointAssociations. get
networksecurity. firewallEndpointAssociations. list
networksecurity. firewallEndpoints. get
networksecurity. firewallEndpoints. list
networksecurity. gatewaySecurityPolicies. get
networksecurity. gatewaySecurityPolicies. list
networksecurity. gatewaySecurityPolicyRules. get
networksecurity. gatewaySecurityPolicyRules. list
networksecurity.locations.*
networksecurity.operations.get
networksecurity. operations. list
networksecurity. securityProfileGroups. get
networksecurity. securityProfileGroups. list
networksecurity. securityProfiles. get
networksecurity. securityProfiles. list
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. list
networksecurity. tlsInspectionPolicies. get
networksecurity. tlsInspectionPolicies. list
networksecurity.urlLists.get
networksecurity.urlLists.list
networkservices. authzExtensions. get
networkservices. authzExtensions. list
networkservices. endpointPolicies. get
networkservices. endpointPolicies. list
networkservices.gateways.get
networkservices.gateways.list
networkservices.grpcRoutes.get
networkservices. grpcRoutes. list
networkservices. httpFilters. get
networkservices. httpFilters. list
networkservices.httpRoutes.get
networkservices. httpRoutes. list
networkservices. httpfilters. get
networkservices. httpfilters. list
networkservices. lbRouteExtensions. get
networkservices. lbRouteExtensions. list
networkservices. lbTrafficExtensions. get
networkservices. lbTrafficExtensions. list
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.operations.get
networkservices. operations. list
networkservices.route_views.*
networkservices. serviceBindings. get
networkservices. serviceBindings. list
networkservices. serviceLbPolicies. get
networkservices. serviceLbPolicies. list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices. wasmPlugins. get
networkservices. wasmPlugins. list
orgpolicy.policy.get
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
spanner.databaseOperations.*
spanner. databases. beginOrRollbackReadWriteTransaction
spanner. databases. beginPartitionedDmlTransaction
spanner. databases. beginReadOnlyTransaction
spanner.databases.changequorum
spanner.databases.getDdl
spanner.databases.list
spanner. databases. partitionQuery
spanner. databases. partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.updateTag
spanner.databases.write
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instancePartitions.get
spanner. instancePartitions. list
spanner.instances.get
spanner.instances.list
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
spanner.sessions.*
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*
Data Labeling Service Agent
(roles/ datalabeling.serviceAgent
)
Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.
Warning: Do not grant service agent roles to any principals except
service agents .
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.files.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.*
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.*
ml.trials.*
ml.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Database Migration Service Agent
(roles/ datamigration.serviceAgent
)
Gives Cloud Database Migration service account access to Cloud SQL resources.
Warning: Do not grant service agent roles to any principals except
service agents .
alloydb.clusters.create
alloydb.clusters.delete
alloydb. clusters. generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.clusters.update
alloydb.instances.connect
alloydb.instances.create
alloydb.instances.delete
alloydb.instances.get
alloydb.instances.list
alloydb.instances.update
alloydb.operations.get
alloydb.operations.list
cloudsql.databases.delete
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.connect
cloudsql.instances.create
cloudsql.instances.delete
cloudsql. instances. demoteMaster
cloudsql.instances.executeSql
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.import
cloudsql.instances.list
cloudsql.instances.migrate
cloudsql. instances. promoteReplica
cloudsql.instances.restart
cloudsql. instances. startReplica
cloudsql.instances.stopReplica
cloudsql.instances.update
compute.forwardingRules.use
compute.globalAddresses.create
compute. globalAddresses. createInternal
compute.globalAddresses.delete
compute. globalAddresses. deleteInternal
compute.globalAddresses.get
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute. networks. listPeeringRoutes
compute.networks.removePeering
compute.networks.use
compute.regionOperations.get
compute.regionOperations.list
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. update
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
networkmanagement. connectivitytests. list
serviceusage.services.use
storage.objects.get
storage.objects.list
Datapipelines Service Agent
(roles/ datapipelines.serviceAgent
)
Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
bigquery.tables.get
bigtable.tables.get
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudscheduler.*
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
orgpolicy.policy.get
pubsub.schemas.get
pubsub.topics.get
recommender. dataflowDiagnosticsInsights.*
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
remotebuildexecution.blobs.get
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Dataplex Discovery BigLake Publishing Service Agent
(roles/ dataplex.discoveryBigLakePublishingServiceAgent
)
Gives the Dataplex Discovery Service Agent permissions to use bigquery connection.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.connections.delegate
bigquery.connections.use
Dataplex Discovery Publishing Service Agent
(roles/ dataplex.discoveryPublishingServiceAgent
)
Gives the Dataplex Discovery Service Agent dataset create and get permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
Dataplex Discovery Service Agent
(roles/ dataplex.discoveryServiceAgent
)
Gives the Dataplex Discovery Service Agent bucket read permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.get
storage.objects.list
Cloud Dataplex Service Agent
(roles/ dataplex.serviceAgent
)
Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery. reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery. rowAccessPolicies. create
bigquery. rowAccessPolicies. delete
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. overrideTimeTravelRestrictions
bigquery. rowAccessPolicies. setIamPolicy
bigquery. rowAccessPolicies. update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration. translation. translate
datacatalog.catalogs.searchAll
datacatalog. categories. getIamPolicy
datacatalog. categories. setIamPolicy
datacatalog.entries.get
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.list
datacatalog.taxonomies.update
dataform.*
dataplex.assets.getIamPolicy
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.projects.search
dataplex.zones.getIamPolicy
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.get
dataproc.operations.cancel
dataproc.operations.get
dataproc.operations.list
firebase.projects.get
iam.serviceAccounts.actAs
logging.logEntries.create
logging.logEntries.route
metastore.services.get
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
orgpolicy.policy.get
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement. services. report
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Dataprep Service Agent
(roles/ dataprep.serviceAgent
)
Dataprep service identity. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.bireservations.get
bigquery. capacityCommitments. get
bigquery. capacityCommitments. list
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.*
bigquery.readsessions.*
bigquery. reservationAssignments. list
bigquery. reservationAssignments. search
bigquery.reservations.get
bigquery.reservations.list
bigquery. reservations. listFailoverDatasets
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery. tables. restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration. translation. translate
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.futureReservations.get
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceSettings.get
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. get
compute. networkEdgeSecurityServices. list
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute. organizations. listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. publicAdvertisedPrefixes. get
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.*
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
orgpolicy.policy.get
recommender. dataflowDiagnosticsInsights.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Dataproc Service Agent
(roles/ dataproc.serviceAgent
)
Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute. disks. startAsyncReplication
compute. disks. stopAsyncReplication
compute. disks. stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.get
compute.firewalls.list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute.globalAddresses.use
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute. networkEndpointGroups.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeTypes.get
compute.projects.get
compute. regionNetworkEndpointGroups.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.list
compute. resourcePolicies. useReadOnly
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container. clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.clusters.update
container. customResourceDefinitions. create
container. customResourceDefinitions. delete
container. customResourceDefinitions. get
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.namespaces.update
container.operations.get
container.roleBindings.*
container.roles.bind
container.roles.escalate
dataproc. autoscalingPolicies. create
dataproc. autoscalingPolicies. delete
dataproc. autoscalingPolicies. get
dataproc. autoscalingPolicies. getIamPolicy
dataproc. autoscalingPolicies. list
dataproc. autoscalingPolicies. update
dataproc. autoscalingPolicies. use
dataproc.clusters.*
dataproc.jobs.*
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.sessionTemplates.get
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.*
dataprocrm.operations.cancel
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
firebase.projects.get
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
metastore.services.get
orgpolicy.policy.get
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement. services. bind
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Dataproc Resource Manager Node Service Agent
(roles/ dataprocrm.nodeServiceAgent
)
Dataproc Resource Manager Node Service Agent used to run managed resources in user project with restricted permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm. nodes. mintOAuthToken
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
Datastream Service Agent
(roles/ datastream.serviceAgent
)
Grants Cloud Datastream permissions to write data in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.connections.delegate
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
compute.globalAddresses.create
compute. globalAddresses. createInternal
compute.globalAddresses.delete
compute. globalAddresses. deleteInternal
compute.globalAddresses.get
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute. networks. listPeeringRoutes
compute.networks.removePeering
compute.networks.use
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
pubsub.topics.publish
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Data Studio Service Agent
(roles/ datastudio.serviceAgent
)
Grants Data Studio Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.jobs.create
DesignCenter Service Agent
(roles/ designcenter.serviceAgent
)
Gives the DesignCenter API Service Account access to necessary GCP resources.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage. managedFolders. getIamPolicy
storage.managedFolders.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dialogflow Service Agent
(roles/ dialogflow.serviceAgent
)
Gives Dialogflow Service Account access to resources on behalf of user project for Integrations (Facebook Messenger, Slack, Telephony, etc.), BigQuery, Discovery Engine, Integration Connectors, and Vertex.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.extensions.execute
aiplatform.extensions.get
aiplatform.models.get
bigquery.jobs.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.updateData
cloudfunctions. functions. invoke
connectors.actions.*
connectors. connections. executeSqlQuery
connectors. connections. generateOpenAPISpec
connectors.connections.get
connectors.entities.*
connectors.entityTypes.list
connectors.operations.get
connectors.versions.get
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow. agents. searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.*
dialogflow. conversationDatasets. get
dialogflow. conversationDatasets. list
dialogflow. conversationModels. get
dialogflow. conversationModels. list
dialogflow. conversationProfiles.*
dialogflow.conversations.*
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow. environments. runContinuousTest
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.*
dialogflow. phoneNumberOrders. get
dialogflow. phoneNumberOrders. list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow. securitySettings. get
dialogflow. securitySettings. list
dialogflow. sessionEntityTypes.*
dialogflow.sessions.*
dialogflow. smartMessagingEntries. get
dialogflow. smartMessagingEntries. list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow. transitionRouteGroups. get
dialogflow. transitionRouteGroups. list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
discoveryengine. collections. list
discoveryengine. dataStores. create
discoveryengine. dataStores. list
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.update
discoveryengine. servingConfigs. search
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
logging.logEntries.create
logging.logEntries.route
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub. topics. attachSubscription
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
run.jobs.run
run.routes.invoke
serviceusage.services.use
speakerid.phrases.*
speakerid.speakers.*
speech.adaptations.execute
speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
speech.recognizers.get
speech.recognizers.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.create
storage.objects.get
storage.objects.list
Discovery Engine Service Agent
(roles/ discoveryengine.serviceAgent
)
Discovery Engine service uploads documents and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects using Cloud Logging, and writes and reads metrics for customer using Cloud Monitoring.
Warning: Do not grant service agent roles to any principals except
service agents .
alloydb.clusters.export
alloydb.databases.list
alloydb.instances.get
alloydb.operations.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
cloudsql.databases.get
cloudsql.instances.export
cloudsql.instances.get
datastore.databases.export
datastore.databases.get
datastore. databases. getMetadata
datastore.operations.get
discoveryengine. completionConfigs. completeQuery
discoveryengine. conversations. converse
discoveryengine. conversations. create
discoveryengine. dataStores. completeQuery
discoveryengine. servingConfigs. answer
discoveryengine. servingConfigs. search
discoveryengine. userEvents. create
logging.logEntries.create
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.*
spanner. databases. beginReadOnlyTransaction
spanner. databases. partitionQuery
spanner.databases.select
spanner.databases.useDataBoost
spanner.sessions.create
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.managedFolders.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
DLP API Service Agent
(roles/ dlp.serviceAgent
)
Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery. dataPolicies. getIamPolicy
bigquery.dataPolicies.list
bigquery. dataPolicies. setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.update
bigquery.models.*
bigquery.readsessions.*
bigquery.routines.*
bigquery. rowAccessPolicies. create
bigquery. rowAccessPolicies. delete
bigquery. rowAccessPolicies. getIamPolicy
bigquery. rowAccessPolicies. list
bigquery. rowAccessPolicies. setIamPolicy
bigquery. rowAccessPolicies. update
bigquery.tables.*
cloudasset. assets. analyzeIamPolicy
cloudasset. assets. exportResource
cloudasset. assets. searchAllIamPolicies
cloudkms. cryptoKeyVersions. useToDecrypt
cloudkms.locations.get
cloudkms.locations.list
datacatalog. categories. fineGrainedGet
datacatalog.tagTemplates.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
datastore.databases.get
datastore. databases. getMetadata
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobs.*
dlp.kms.encrypt
firebase.projects.get
orgpolicy.policy.get
pubsub.*
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Cloud DNS Service Agent
(roles/ dns.serviceAgent
)
Gives Cloud DNS Service Agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute. globalNetworkEndpointGroups. attachNetworkEndpoints
compute. globalNetworkEndpointGroups. create
compute. globalNetworkEndpointGroups. delete
compute. globalNetworkEndpointGroups. detachNetworkEndpoints
compute. globalNetworkEndpointGroups. get
compute.globalOperations.get
compute.healthChecks.get
DocumentAI Core Service Agent
(roles/ documentaicore.serviceAgent
)
Gives DocumentAI Core Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
automl.models.predict
documentai. humanReviewConfigs. review
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
DSPM Service Agent
(roles/ dspm.serviceAgent
)
Gives DSPM Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery. datasets. createTagBinding
bigquery. datasets. deleteTagBinding
bigquery. datasets. listEffectiveTags
bigquery. datasets. listTagBindings
bigquery. tables. createTagBinding
bigquery. tables. deleteTagBinding
bigquery. tables. listEffectiveTags
bigquery. tables. listTagBindings
cloudasset. assets. exportResource
cloudasset.assets.listResource
cloudasset. assets. queryResource
cloudasset. assets. searchAllResources
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.update
resourcemanager. hierarchyNodes.*
resourcemanager.tagKeys.create
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.get
resourcemanager. tagKeys. getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagKeys.update
resourcemanager. tagValueBindings.*
resourcemanager. tagValues. create
resourcemanager. tagValues. delete
resourcemanager.tagValues.get
resourcemanager. tagValues. getIamPolicy
resourcemanager.tagValues.list
resourcemanager. tagValues. update
securitycenter. securityhealthanalyticssettings.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securityposture.operations.get
securityposture. postureDeployments. create
securityposture. postureDeployments. delete
securityposture. postures. create
securityposture.postures.get
storage. buckets. createTagBinding
storage. buckets. deleteTagBinding
storage. buckets. listEffectiveTags
storage. buckets. listTagBindings
Edge Container Cluster Service Agent
(roles/ edgecontainer.clusterServiceAgent
)
Grants the Edge Container Cluster Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudnotifications. activities. list
gkehub.endpoints.connect
gkehub.features.create
gkehub.features.get
gkehub.features.list
gkehub.features.update
gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.create
gkehub.memberships.delete
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.*
kubernetesmetadata.*
logging.logEntries.create
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.*
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
stackdriver.resourceMetadata.*
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Edge Container Service Agent
(roles/ edgecontainer.serviceAgent
)
Grants the Edge Container Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute. externalVpnGateways. create
compute. externalVpnGateways. delete
compute. externalVpnGateways. get
compute. externalVpnGateways. use
compute.globalOperations.get
compute.networks.get
compute.networks.updatePolicy
compute.regionOperations.get
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
gkehub.memberships.create
gkehub.memberships.delete
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.get
serviceusage.services.list
Cloud Endpoints Service Agent
(roles/ endpoints.serviceAgent
)
Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.
Warning: Do not grant service agent roles to any principals except
service agents .
servicemanagement. services. check
servicemanagement.services.get
servicemanagement. services. quota
servicemanagement. services. report
Endpoints Portal Service Agent
(roles/ endpointsportal.serviceAgent
)
Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.
Warning: Do not grant service agent roles to any principals except
service agents .
servicemanagement.services.get
servicemanagement. services. list
source.repos.get
Enterprise Knowledge Graph Service Agent
(roles/ enterpriseknowledgegraph.serviceAgent
)
Gives Enterprise Knowledge Graph Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Eventarc Service Agent
(roles/ eventarc.serviceAgent
)
Gives Eventarc service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudfunctions.functions.get
compute. instanceGroupManagers. get
compute.networkAttachments.get
compute. networkAttachments. update
compute.regionOperations.get
container.clusters.connect
container.clusters.get
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.list
container.deployments.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container. serviceAccounts. create
container. serviceAccounts. delete
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.list
dns. networks. targetWithPeeringZone
eventarc.channels.publish
eventarc.messageBuses.publish
eventarc.operations.get
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
run.jobs.get
run.services.get
serviceusage.services.use
storage.buckets.get
storage.buckets.update
workflows.workflows.get
Cloud Filestore Service Agent
(roles/ file.serviceAgent
)
Gives Cloud Filestore service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.routes.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Distribution Admin SDK Service Agent
(roles/ firebase.appDistributionSdkServiceAgent
)
Read and write access to Firebase App Distribution with the Admin SDK
Warning: Do not grant service agent roles to any principals except
service agents .
firebaseappdistro.*
Firebase Service Management Service Agent
(roles/ firebase.managementServiceAgent
)
Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.
Warning: Do not grant service agent roles to any principals except
service agents .
apikeys.keys.create
apikeys.keys.get
apikeys.keys.list
apikeys.keys.update
appengine.applications.create
appengine.applications.get
appengine.applications.update
appengine.operations.get
appengine.services.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.update
bigquery.transfers.*
clientauthconfig.brands.create
clientauthconfig.brands.update
clientauthconfig. clients. create
clientauthconfig. clients. getWithSecret
clientauthconfig.clients.list
clientauthconfig. clients. update
firebase.clients.create
firebase.clients.delete
firebase.clients.get
firebase.clients.undelete
firebase.projects.*
firebaseabt.experiments.delete
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.update
firebaserules.releases.create
firebaserules.releases.delete
firebaserules.releases.get
firebaserules.rulesets.create
firebasestorage. defaultBucket. get
iam.roles.get
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager. projects. setIamPolicy
resourcemanager. projects. update
servicemanagement. services. bind
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
Firebase App Hosting Service Agent
(roles/ firebaseapphosting.serviceAgent
)
Gives Firebase App Hosting access to resource for Building & Deploying Backends.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. dockerimages.*
artifactregistry. repositories. create
artifactregistry. repositories. delete
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. update
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.update
cloudbuild.connections.get
cloudbuild.operations.get
cloudbuild. repositories. accessReadToken
cloudbuild. repositories. accessReadWriteToken
cloudbuild.repositories.get
developerconnect. connections. get
developerconnect. gitRepositoryLinks. fetchReadToken
developerconnect. gitRepositoryLinks. fetchReadWriteToken
developerconnect. gitRepositoryLinks. get
iam.serviceAccounts.actAs
run.operations.delete
run.operations.get
run.revisions.delete
run.revisions.get
run.routes.get
run.routes.invoke
run.services.create
run.services.delete
run.services.get
run.services.update
serviceusage.services.use
Firebase Crashlytics Service Agent
(roles/ firebasecrashlytics.serviceAgent
)
Access to BigQuery export for Crashlytics
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
serviceusage.services.use
Firebase Realtime Database Service Agent
(roles/ firebasedatabase.serviceAgent
)
Access to publish triggers
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
serviceusage.services.use
Firebase Data Connect Service Agent
(roles/ firebasedataconnect.serviceAgent
)
Gives Firebase Data Connect access to administer Cloud SQL instances.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.databases.create
cloudsql.databases.get
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
cloudsql.users.create
cloudsql.users.get
Firebase Machine Learning Service Agent
(roles/ firebaseml.serviceAgent
)
Access to Cloud ML and AI resources used by Firebase ML
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
Firebase Rules Firestore Service Agent
(roles/ firebaserules.firestoreServiceAgent
)
Grants Firebase Security Rules access to Firestore for providing cross-service Rules.
Warning: Do not grant service agent roles to any principals except
service agents .
datastore.entities.get
Cloud Storage for Firebase Service Agent
(roles/ firebasestorage.serviceAgent
)
Access to Cloud Storage for Firebase through API and SDK.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update
Firestore Service Agent
(roles/ firestore.serviceAgent
)
Gives Firestore service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Cloud Firewall Insights Service Agent
(roles/ firewallinsights.serviceAgent
)
Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute. networks. getEffectiveFirewalls
compute.networks.list
compute.projects.get
compute. regionTargetTcpProxies. list
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute. targetHttpsProxies. list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
FleetEngine Service Agent
(roles/ fleetengine.serviceAgent
)
Grants the FleetEngine Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.getData
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
Game Services Service Agent
(roles/ gameservices.serviceAgent
)
Gives Game Services Service Account access to GCP resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container. certificateSigningRequests. create
container. certificateSigningRequests. delete
container. certificateSigningRequests. get
container. certificateSigningRequests. list
container. certificateSigningRequests. update
container. certificateSigningRequests. updateStatus
container. clusterRoleBindings. create
container. clusterRoleBindings. get
container. clusterRoleBindings. list
container. clusterRoleBindings. update
container.clusterRoles.bind
container.clusterRoles.create
container. clusterRoles. escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.connect
container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container. controllerRevisions. get
container. controllerRevisions. list
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container. customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container. horizontalPodAutoscalers.*
container.ingresses.*
container. initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container. localSubjectAccessReviews.*
container. managedCertificates.*
container. mutatingWebhookConfigurations.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container. persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container. podDisruptionBudgets.*
container.podPresets.*
container. podSecurityPolicies. get
container. podSecurityPolicies. list
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container. replicationControllers.*
container.resourceQuotas.*
container.roleBindings.create
container.roleBindings.get
container.roleBindings.list
container.roles.bind
container.roles.create
container.roles.escalate
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container. selfSubjectAccessReviews.*
container. selfSubjectRulesReviews. create
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container. storageVersionMigrations.*
container. subjectAccessReviews.*
container.thirdPartyObjects.*
container. thirdPartyResources.*
container.tokenReviews.create
container.updateInfos.*
container. validatingWebhookConfigurations.*
container.volumeAttachments.*
container. volumeSnapshotClasses.*
container. volumeSnapshotContents.*
container.volumeSnapshots.*
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub. scopes. listBoundMemberships
iam.serviceAccounts.actAs
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
Genomics Service Agent
(roles/ genomics.serviceAgent
)
Gives Genomics Service Account access to compute resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.diskTypes.*
compute.disks.*
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute.globalAddresses.use
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute.regionOperations.list
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Backup for GKE Service Agent
(roles/ gkebackup.serviceAgent
)
Grants the Backup for GKE Service Account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.useReadOnly
compute.globalOperations.get
compute.regionOperations.get
compute.snapshots.delete
compute.snapshots.get
compute.zoneOperations.get
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container. certificateSigningRequests. create
container. certificateSigningRequests. delete
container. certificateSigningRequests. get
container. certificateSigningRequests. list
container. certificateSigningRequests. update
container. certificateSigningRequests. updateStatus
container. clusterRoleBindings. get
container. clusterRoleBindings. list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container. controllerRevisions. get
container. controllerRevisions. list
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container. customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container. horizontalPodAutoscalers.*
container.ingresses.*
container. initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container. localSubjectAccessReviews.*
container. managedCertificates.*
container. mutatingWebhookConfigurations. get
container. mutatingWebhookConfigurations. list
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container. persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container. podDisruptionBudgets.*
container.podPresets.*
container. podSecurityPolicies. get
container. podSecurityPolicies. list
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container. replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container. selfSubjectAccessReviews.*
container. selfSubjectRulesReviews. create
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container. storageVersionMigrations.*
container. subjectAccessReviews.*
container.thirdPartyObjects.*
container. thirdPartyResources.*
container.tokenReviews.create
container.updateInfos.*
container. validatingWebhookConfigurations. get
container. validatingWebhookConfigurations. list
container.volumeAttachments.*
container. volumeSnapshotClasses.*
container. volumeSnapshotContents.*
container.volumeSnapshots.*
gkebackup.operations.get
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager. projects. updateLiens
Warp Run Service Agent
(roles/ gkedataplanemanagement.warpRunServiceAgent
)
Gives the Warp Run service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager.projects.list
GKE Hub Cross Project Service Agent
(roles/ gkehub.crossProjectServiceAgent
)
Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager. projects. getIamPolicy
resourcemanager. projects. setIamPolicy
GKE Hub Service Agent
(roles/ gkehub.serviceAgent
)
Gives the GKE Hub service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container. clusterRoleBindings.*
container.clusterRoles.*
container.clusters.connect
container.clusters.get
container.clusters.list
container.clusters.update
container. customResourceDefinitions. create
container. customResourceDefinitions. delete
container. customResourceDefinitions. get
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container.namespaces.get
container.operations.get
container.thirdPartyObjects.*
gkehub.features.create
gkehub.features.get
gkehub.features.list
gkehub.fleet.create
gkehub.fleet.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.create
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub.memberships.list
gkehub.operations.get
gkemulticloud.awsClusters.get
gkemulticloud. azureClusters. get
gkeonprem. bareMetalClusters. get
gkeonprem.vmwareClusters.get
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.buckets.update
logging.exclusions.*
logging.sinks.*
logging.views.create
logging.views.get
logging.views.list
logging.views.update
monitoring.metricsScopes.link
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Anthos Multi-Cloud Container Service Agent
(roles/ gkemulticloud.containerServiceAgent
)
Grants the Anthos Multi-Cloud Container Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
binaryauthorization. platformPolicies. evaluatePolicy
binaryauthorization. platformPolicies. get
binaryauthorization. platformPolicies. list
binaryauthorization. policy. evaluatePolicy
binaryauthorization.policy.get
cloudnotifications. activities. list
kubernetesmetadata.*
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
stackdriver.projects.get
stackdriver. resourceMetadata. list
Anthos Multi-Cloud Control Plane Machine Service Agent
(roles/ gkemulticloud.controlPlaneMachineServiceAgent
)
Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. dockerimages. get
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
serviceusage.services.use
Anthos Multi-Cloud Node Pool Machine Service Agent
(roles/ gkemulticloud.nodePoolMachineServiceAgent
)
Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. dockerimages. get
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
serviceusage.services.use
Anthos Multi-Cloud Service Agent
(roles/ gkemulticloud.serviceAgent
)
Grants the Anthos Multi-Cloud Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.*
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.*
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub. scopes. listBoundMemberships
gkehub.scopes.update
gkemulticloud. awsClusters. delete
gkemulticloud. awsNodePools. delete
gkemulticloud. azureClients. delete
gkemulticloud. azureClusters. delete
gkemulticloud. azureNodePools. delete
resourcemanager.projects.get
resourcemanager.projects.list
GKE On-Prem Service Agent
(roles/ gkeonprem.serviceAgent
)
Gives the GKE On-Prem service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.memberships.delete
gkehub.memberships.get
gkehub.memberships.update
gkeonprem. bareMetalAdminClusters. connect
gkeonprem. bareMetalAdminClusters. enroll
gkeonprem. bareMetalAdminClusters. get
gkeonprem. bareMetalAdminClusters. unenroll
gkeonprem. bareMetalClusters. enroll
gkeonprem. bareMetalClusters. get
gkeonprem. bareMetalClusters. unenroll
gkeonprem. bareMetalNodePools. enroll
gkeonprem. bareMetalNodePools. get
gkeonprem. bareMetalNodePools. unenroll
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem. vmwareAdminClusters. connect
gkeonprem. vmwareAdminClusters. enroll
gkeonprem. vmwareAdminClusters. get
gkeonprem. vmwareAdminClusters. unenroll
gkeonprem. vmwareClusters. enroll
gkeonprem.vmwareClusters.get
gkeonprem. vmwareClusters. unenroll
gkeonprem. vmwareNodePools. enroll
gkeonprem.vmwareNodePools.get
gkeonprem. vmwareNodePools. unenroll
Healthcare Service Agent
(roles/ healthcare.serviceAgent
)
Gives the Healthcare Service Account access to networks, Kubernetes engine, and Pub/Sub resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudnotifications. activities. list
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
opsconfigmonitoring. resourceMetadata. list
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub. topics. attachSubscription
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver. resourceMetadata. list
(roles/ identitytoolkit.serviceAgent
)
Gives Identity Platform service account access to customer project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
recaptchaenterprise. assessments. create
recaptchaenterprise. keys. create
recaptchaenterprise. keys. delete
recaptchaenterprise.keys.get
Application Integration Service Agent
(roles/ integrations.serviceAgent
)
Service agent that grants access to execute an integration.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudfunctions. functions. invoke
cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.*
connectors.actions.*
connectors. connections. executeSqlQuery
connectors.connections.get
connectors.entities.*
connectors.entityTypes.list
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
integrations. apigeeAuthConfigs.*
integrations. apigeeCertificates.*
integrations. apigeeExecutions. list
integrations. apigeeIntegrationVers.*
integrations. apigeeIntegrations.*
integrations. apigeeSfdcChannels.*
integrations. apigeeSfdcInstances.*
integrations. apigeeSuspensions.*
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.list
integrations. integrationVersions. create
integrations. integrationVersions. delete
integrations. integrationVersions. deploy
integrations. integrationVersions. get
integrations. integrationVersions. list
integrations. integrationVersions. update
integrations. integrations. create
integrations. integrations. delete
integrations. integrations. deploy
integrations.integrations.get
integrations. integrations. invoke
integrations.integrations.list
integrations. integrations. update
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub. topics. detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
run.jobs.run
run.routes.invoke
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
KRM API Hosting AnthosApiEndpoint Service Agent
(roles/ krmapihosting.anthosApiEndpointServiceAgent
)
Grants permissions to resources managed by AnthosApiEndpoint.
Warning: Do not grant service agent roles to any principals except
service agents .
compute. instanceGroupManagers. get
container.*
gkehub.features.*
gkehub.fleet.*
gkehub.gateway.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.*
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub. scopes. listBoundMemberships
gkehub.scopes.update
iam.serviceAccounts.actAs
meshconfig.projects.init
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager. projects. setIamPolicy
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
KRM API Hosting Service Agent
(roles/ krmapihosting.serviceAgent
)
Gives KRM API Hosting service account access to managed resource.
Warning: Do not grant service agent roles to any principals except
service agents .
compute. instanceGroupManagers. get
compute.regions.get
container.*
iam.serviceAccounts.actAs
recommender. containerDiagnosisInsights.*
recommender. containerDiagnosisRecommendations.*
recommender.locations.*
recommender. networkAnalyzerGkeConnectivityInsights.*
recommender. networkAnalyzerGkeIpAddressInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
KubeRun Events Control Plane Service Agent
(roles/ kuberun.eventsControlPlaneServiceAgent
)
Service account role used to setup authentication for the control plane used by KubeRun Events.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.get
logging.sinks.create
logging.sinks.delete
logging.sinks.get
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
resourcemanager.projects.get
storage.buckets.get
storage.buckets.update
KubeRun Events Data Plane Service Agent
(roles/ kuberun.eventsDataPlaneServiceAgent
)
Service account role used to setup authentication for the data plane used by KubeRun Events.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudtrace.traces.patch
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.get
pubsub.topics.get
pubsub.topics.publish
resourcemanager.projects.get
Cloud Life Sciences Service Agent
(roles/ lifesciences.serviceAgent
)
Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.diskTypes.*
compute.disks.*
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute.globalAddresses.use
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. regionBackendServices. get
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute.regionOperations.list
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Live Stream Service Agent
(roles/ livestream.serviceAgent
)
Uploads media files to customer Cloud Storage buckets.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Logging Service Agent
(roles/ logging.serviceAgent
)
Grants a Cloud Logging Service Account the ability to create and link datasets.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.link
Looker Service Agent
(roles/ looker.serviceAgent
)
Gives the Looker service account permission to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.datasets.get
bigquery.jobs.create
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
compute.globalAddresses.get
looker.backups.create
resourcemanager.projects.get
serviceusage.services.use
Managed Flink Service Agent
(roles/ managedflink.serviceAgent
)
Gives Managed Flink Service Agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute. networkAttachments. create
compute. networkAttachments. delete
compute.networkAttachments.get
compute. networkAttachments. list
compute. networkAttachments. update
compute.networks.get
compute.networks.list
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
dns. networks. targetWithPeeringZone
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.clusters.update
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
serviceusage.services.use
storage.objects.get
Cloud Managed Identities Service Agent
(roles/ managedidentities.serviceAgent
)
Gives Managed Identities service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
dns. networks. bindPrivateDNSPolicy
dns. networks. bindPrivateDNSZone
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Managed Kafka Service Agent
(roles/ managedkafka.serviceAgent
)
Gives Managed Kafka Service Agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.create
compute. addresses. createInternal
compute.addresses.delete
compute. addresses. deleteInternal
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.list
compute. forwardingRules. pscCreate
compute. forwardingRules. pscDelete
compute.networks.get
compute.networks.use
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
dns.changes.create
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.list
dns. networks. bindPrivateDNSZone
dns. networks. targetWithPeeringZone
dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.list
dns.resourceRecordSets.update
managedkafka.clusters.connect
privateca.caPools.get
servicedirectory. namespaces. create
servicedirectory. services. create
servicedirectory. services. delete
(roles/ mediaasset.serviceAgent
)
Downloads and uploads media files from and to customer Cloud Storage buckets.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.get
pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get
Cloud Memorystore Memcached Service Agent
(roles/ memcache.serviceAgent
)
Gives Cloud Memorystore Memcached service account access to managed resource
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Service Agent
(roles/ memorystore.serviceAgent
)
Gives Cloud Memorystore service account access to managed resource
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.projects.get
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Mesh Config Service Agent
(roles/ meshconfig.serviceAgent
)
Apply mesh configuration
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute. backendServices. setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute. globalForwardingRules. create
compute. globalForwardingRules. delete
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. setLabels
compute. globalForwardingRules. setTarget
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute. healthChecks. useReadOnly
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. use
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute. regionTargetTcpProxies. create
compute. regionTargetTcpProxies. delete
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. use
compute.subnetworks.use
compute. targetHttpProxies. create
compute. targetHttpProxies. delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. setUrlMap
compute.targetHttpProxies.use
compute. targetHttpsProxies. create
compute. targetHttpsProxies. delete
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. setSslCertificates
compute. targetHttpsProxies. setSslPolicy
compute. targetHttpsProxies. setUrlMap
compute.targetHttpsProxies.use
compute. targetSslProxies. create
compute. targetSslProxies. delete
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. setBackendService
compute. targetSslProxies. setProxyHeader
compute. targetSslProxies. setSslCertificates
compute.targetSslProxies.use
compute. targetTcpProxies. create
compute. targetTcpProxies. delete
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. update
compute.targetTcpProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute. urlMaps. invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate
networksecurity. clientTlsPolicies. create
networksecurity. clientTlsPolicies. delete
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. list
networksecurity. clientTlsPolicies. update
networksecurity. serverTlsPolicies. create
networksecurity. serverTlsPolicies. delete
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. list
networksecurity. serverTlsPolicies. update
networkservices.httpFilters.*
networkservices. httpfilters. create
networkservices. httpfilters. delete
networkservices. httpfilters. get
networkservices. httpfilters. list
networkservices. httpfilters. update
Mesh Managed Control Plane Service Agent
(roles/ meshcontrolplane.serviceAgent
)
Anthos Service Mesh Managed Control Plane Agent
Warning: Do not grant service agent roles to any principals except
service agents .
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container. certificateSigningRequests.*
container. clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container. clusters. getCredentials
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container. controllerRevisions.*
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container. customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container. horizontalPodAutoscalers.*
container.hostServiceAgent.use
container.ingresses.*
container. initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container. localSubjectAccessReviews.*
container. managedCertificates.*
container. mutatingWebhookConfigurations.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container. persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container. podDisruptionBudgets.*
container.podPresets.*
container. podSecurityPolicies.*
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container. replicationControllers.*
container.resourceQuotas.*
container.roleBindings.*
container.roles.*
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container. selfSubjectAccessReviews.*
container. selfSubjectRulesReviews. create
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container. storageVersionMigrations.*
container. subjectAccessReviews.*
container.thirdPartyObjects.*
container. thirdPartyResources.*
container.tokenReviews.create
container.updateInfos.*
container. validatingWebhookConfigurations.*
container.volumeAttachments.*
container. volumeSnapshotClasses.*
container. volumeSnapshotContents.*
container.volumeSnapshots.*
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.gateway.*
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub. scopes. listBoundMemberships
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.use
trafficdirector.*
Mesh Data Plane Service Agent
(roles/ meshdataplane.serviceAgent
)
Run user-space Istio components
Warning: Do not grant service agent roles to any principals except
service agents .
cloudtrace.traces.patch
compute.forwardingRules.get
compute. globalForwardingRules. get
logging.logEntries.create
logging.logEntries.route
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
serviceusage.services.use
(roles/ metastore.serviceAgent
)
Gives the Dataproc Metastore service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute. forwardingRules. pscCreate
compute. forwardingRules. pscDelete
compute. globalAddresses. createInternal
compute. globalAddresses. deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.globalOperations.list
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
dns.changes.create
dns.changes.get
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns. networks. bindPrivateDNSZone
dns. networks. targetWithPeeringZone
dns.resourceRecordSets.*
metastore.databases.get
metastore. databases. setIamPolicy
metastore.databases.update
metastore.federations.use
metastore.services.get
metastore.tables.get
metastore.tables.setIamPolicy
metastore.tables.update
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Migration Center Service Agent
(roles/ migrationcenter.serviceAgent
)
Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.objects.get
vmmigration. migratingVms. create
AI Platform Service Agent
(roles/ ml.serviceAgent
)
AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.updateData
firebase.projects.get
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam. serviceAccounts. implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logEntries.route
orgpolicy.policy.get
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Monitoring Service Agent
(roles/ monitoring.notificationServiceAgent
)
Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.jobs.create
cloudfunctions.functions.get
cloudtrace.traces.patch
logging.links.list
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.list
run.routes.invoke
servicedirectory. networks. access
servicedirectory. services. resolve
serviceusage.services.use
Multi Cluster Ingress Service Agent
(roles/ multiclusteringress.serviceAgent
)
Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
certificatemanager. certmapentries.*
certificatemanager.certmaps.*
certificatemanager.certs.*
certificatemanager. dnsauthorizations.*
compute.addresses.create
compute. addresses. createInternal
compute.addresses.delete
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.backendServices.*
compute.firewalls.*
compute.forwardingRules.*
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute. globalForwardingRules.*
compute.healthChecks.*
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. use
compute.networks.updatePolicy
compute.networks.use
compute. regionBackendServices.*
compute.regionHealthChecks.*
compute. regionSslCertificates.*
compute.regionSslPolicies.use
compute. regionTargetHttpProxies.*
compute. regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.use
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.urlMaps.*
container.backendConfigs.*
container.clusters.get
container. customResourceDefinitions. create
container. customResourceDefinitions. delete
container. customResourceDefinitions. get
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container.deployments.*
container.events.create
container.events.update
container.frontendConfigs.*
container.namespaces.list
container.secrets.get
container.secrets.list
container.services.*
container.thirdPartyObjects.*
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Multi-cluster metering Service Agent
(roles/ multiclustermetering.serviceAgent
)
Gives the Multi-cluster metering service agent access to CloudPlatform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Multi-Cluster Service Discovery Service Agent
(roles/ multiclusterservicediscovery.serviceAgent
)
Gives the Multi-Cluster Service Discovery service access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.*
compute.firewalls.*
compute.forwardingRules.*
compute. globalForwardingRules.*
compute.globalOperations.get
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute. networkEndpointGroups. use
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute. regionTargetTcpProxies.*
compute.regions.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
container.clusters.get
container.clusters.list
container. thirdPartyObjects. update
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
Network Actions Service Agent
(roles/ networkactions.serviceAgent
)
Gives Network Actions service account access to read required resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. repositories. downloadArtifacts
Network Connectivity Service Agent
(roles/ networkconnectivity.serviceAgent
)
Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.create
compute. addresses. createInternal
compute.addresses.delete
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.setLabels
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute. forwardingRules. pscCreate
compute. forwardingRules. pscDelete
compute. forwardingRules. pscSetLabels
compute. forwardingRules. pscSetTarget
compute. forwardingRules. pscUpdate
compute. forwardingRules. setLabels
compute.instances.get
compute. interconnectAttachments. get
compute.networks.get
compute.networks.use
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. setIamPolicy
compute.subnetworks.use
compute.vpnTunnels.get
dns.managedZones.create
dns. networks. bindPrivateDNSZone
networkconnectivity. operations. get
servicedirectory. namespaces. associatePrivateZone
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
GCP Network Management Service Agent
(roles/ networkmanagement.serviceAgent
)
Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.get
cloudsql.instances.list
compute.addresses.get
compute.addresses.list
compute.backendServices.get
compute.backendServices.list
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute.networks.get
compute. networks. getEffectiveFirewalls
compute.networks.list
compute. networks. listPeeringRoutes
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. regionBackendServices. get
compute. regionBackendServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
container.clusters.get
container.clusters.list
container.nodes.get
container.nodes.list
AI Platform Notebooks Service Agent
(roles/ notebooks.serviceAgent
)
Provide access for notebooks service agent to manage notebook instances in user projects
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.customJobs.cancel
aiplatform.customJobs.create
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform. notebookExecutionJobs.*
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
backupdr. backupPlanAssociations. createForComputeInstance
backupdr. backupPlanAssociations. deleteForComputeInstance
backupdr. backupPlanAssociations. list
backupdr. backupPlanAssociations. triggerBackupForComputeInstance
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr. backupPlans. useForComputeInstance
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr. serviceConfig. initialize
compute.acceleratorTypes.*
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.*
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute.futureReservations.get
compute. futureReservations. getIamPolicy
compute. futureReservations. list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute.globalAddresses.use
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscGet
compute. globalNetworkEndpointGroups.*
compute.globalOperations.get
compute. globalOperations. getIamPolicy
compute.globalOperations.list
compute. globalPublicDelegatedPrefixes. get
compute. globalPublicDelegatedPrefixes. list
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute.images.*
compute. instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkEdgeSecurityServices. get
compute. networkEdgeSecurityServices. list
compute. networkEdgeSecurityServices. listEffectiveTags
compute. networkEdgeSecurityServices. listTagBindings
compute. networkEndpointGroups.*
compute.networkProfiles.*
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute. nodeGroups. getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute. nodeTemplates. getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute. organizations. listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute. publicAdvertisedPrefixes. get
compute. publicAdvertisedPrefixes. list
compute. publicDelegatedPrefixes. get
compute. publicDelegatedPrefixes. list
compute. publicDelegatedPrefixes. listEffectiveTags
compute. publicDelegatedPrefixes. listTagBindings
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionNetworkEndpointGroups.*
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute.regionOperations.get
compute. regionOperations. getIamPolicy
compute.regionOperations.list
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute.snapshotSettings.get
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute.urlMaps.get
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.zoneOperations.get
compute. zoneOperations. getIamPolicy
compute.zoneOperations.list
compute.zones.*
dataproc.clusters.get
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam.serviceAccounts.list
ml.jobs.create
ml.jobs.get
ml.jobs.list
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Oracle Database@Google Cloud Service Agent
(roles/ oci.serviceAgent
)
Grants Oracle Database@Google Cloud access to services and APIs in the user project
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.get
compute.addresses.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.globalOperations.list
compute. interconnectAttachments. create
compute. interconnectAttachments. delete
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. setLabels
compute. interconnectAttachments. update
compute. interconnectAttachments. use
compute. interconnectLocations.*
compute. interconnectRemoteLocations.*
compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute. interconnects. getMacsecConfig
compute.interconnects.list
compute. interconnects. setLabels
compute.interconnects.update
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
networkconnectivity. internalRanges. create
networkconnectivity. internalRanges. delete
networkconnectivity. internalRanges. get
networkconnectivity. internalRanges. list
networkconnectivity. operations. get
networkconnectivity. operations. list
resourcemanager.projects.get
resourcemanager. projects. updateLiens
On-Demand Scanning Service Agent
(roles/ ondemandscanning.serviceAgent
)
Gives the On-Demand Scanning API the access it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Cloud OS Config Service Agent
(roles/ osconfig.serviceAgent
)
Grants OS Config Service Account access to Google Compute Engine instances.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listPatchDeployments
compute.globalOperations.get
compute.instances.get
compute. instances. getGuestAttributes
compute.instances.list
compute.instances.setMetadata
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute.zones.*
containeranalysis. notes. attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis. occurrences. create
containeranalysis. occurrences. delete
containeranalysis. occurrences. get
containeranalysis. occurrences. list
containeranalysis. occurrences. update
iam.serviceAccounts.actAs
osconfig. projectFeatureSettings.*
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Service Agent
(roles/ parallelstore.serviceAgent
)
Gives the Parallelstore service agent ability to access customer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager.projects.list
Privileged Access Manager Folder Service Agent
(roles/ privilegedaccessmanager.folderServiceAgent
)
Gives privileged access manager service account access to modify IAM policies on GCP folders
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.folders.get
resourcemanager. folders. getIamPolicy
resourcemanager. folders. setIamPolicy
Privileged Access Manager Organization Service Agent
(roles/ privilegedaccessmanager.organizationServiceAgent
)
Gives privileged access manager service account access to modify IAM policies on GCP organizations
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager. organizations. get
resourcemanager. organizations. getIamPolicy
resourcemanager. organizations. setIamPolicy
Privileged Access Manager Project Service Agent
(roles/ privilegedaccessmanager.projectServiceAgent
)
Gives privileged access manager service account access to modify IAM policies on GCP projects
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager. projects. setIamPolicy
Privileged Access Manager Service Agent
(roles/ privilegedaccessmanager.serviceAgent
)
Gives privileged access manager service account access to modify IAM policies on GCP resources
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.folders.get
resourcemanager. folders. getIamPolicy
resourcemanager. folders. setIamPolicy
resourcemanager. organizations. get
resourcemanager. organizations. getIamPolicy
resourcemanager. organizations. setIamPolicy
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager. projects. setIamPolicy
Progressive Rollout Service Agent
(roles/ progressiverollout.serviceAgent
)
Gives Progressive Rollout the ability to roll out a customer change.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. searchAllResources
Cloud Pub/Sub Service Agent
(roles/ pubsub.serviceAgent
)
Grants Cloud Pub/Sub Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam. serviceAccounts. implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Pub/Sub Lite Service Agent
(roles/ pubsublite.serviceAgent
)
Grants Pub/Sub Lite Service Agent access to project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
pubsublite.subscriptions.get
pubsublite. subscriptions. getCursor
pubsublite. subscriptions. setCursor
pubsublite. subscriptions. subscribe
pubsublite. topics. computeHeadCursor
pubsublite. topics. getPartitions
pubsublite.topics.publish
pubsublite.topics.subscribe
RMA Service Agent
(roles/ rapidmigrationassessment.serviceAgent
)
Gives RMA service account access to MC resources.
Warning: Do not grant service agent roles to any principals except
service agents .
autoscaling.sites.writeMetrics
cloudasset. assets. exportResource
cloudasset.feeds.create
logging.logEntries.create
migrationcenter.assets.list
migrationcenter. assets. reportFrames
migrationcenter.importJobs.get
migrationcenter. importJobs. list
migrationcenter.sources.*
monitoring. metricDescriptors. create
monitoring. metricDescriptors. list
monitoring.timeSeries.create
resourcemanager.projects.get
Cloud Memorystore Redis Service Agent
(roles/ redis.serviceAgent
)
Gives Cloud Memorystore Redis service account access to managed resource
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.projects.get
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Remote Build Execution Service Agent
(roles/ remotebuildexecution.serviceAgent
)
Gives Remote Build Execution service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
remotebuildexecution. actions. update
remotebuildexecution.blobs.*
remotebuildexecution. botsessions.*
remotebuildexecution. logstreams. create
remotebuildexecution. logstreams. update
Remoting Cloud Service Agent
(roles/ remotingcloud.serviceAgent
)
Grants Chrome Remote Desktop Service Agent access to Google Compute Engine metadata.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.projects.get
Retail Service Agent
(roles/ retail.serviceAgent
)
Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud Observability metrics for customer projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
cloudnotifications. activities. list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring. notificationChannelDescriptors.*
monitoring. notificationChannels. get
monitoring. notificationChannels. list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring. uptimeCheckConfigs. get
monitoring. uptimeCheckConfigs. list
opsconfigmonitoring. resourceMetadata. list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver. resourceMetadata. list
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Risk Manager Service Agent
(roles/ riskmanager.serviceAgent
)
Service agent that grants Risk Manager service access to fetch findings for generating Reports
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.assets.*
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. complianceReports. aggregate
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Route Optimization Service Agent
(roles/ routeoptimization.serviceAgent
)
Grants Route Optimization Service Account access to read and write GCS objects in the host project.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Run Service Agent
(roles/ run.serviceAgent
)
Gives Cloud Run service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
binaryauthorization. platformPolicies. evaluatePolicy
binaryauthorization. policy. evaluatePolicy
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute.globalOperations.get
compute.networks.access
compute.networks.get
compute.subnetworks.get
compute.subnetworks.use
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam.serviceAccounts.signBlob
networkservices.meshes.get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
run.routes.invoke
serviceusage.services.use
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use
Serverless Integrations Service Agent
(roles/ runapps.serviceAgent
)
Gives Serverless Integrations Service Account access to customer project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudbuild.builds.create
cloudbuild.builds.get
cloudsql.databases.get
cloudsql.instances.get
cloudsql.users.get
compute.backendServices.get
compute.backendServices.list
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute.networks.get
compute.networks.list
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute.sslCertificates.get
compute.sslCertificates.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute.urlMaps.get
compute.urlMaps.list
firebasehosting.sites.get
iam.serviceAccounts.actAs
redis.instances.get
redis.instances.list
run.jobs.get
run.jobs.list
run.services.get
run.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
SecLM Service Agent
(roles/ seclm.serviceAgent
)
Service agent used by SecLM to access resources used by SecLM Workbenches.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
aiplatform.locations.get
discoveryengine. dataStores. completeQuery
discoveryengine.dataStores.get
discoveryengine. dataStores. list
discoveryengine. servingConfigs. search
Secured Landing Zone Service Agent
(roles/ securedlandingzone.serviceAgent
)
Grants Secured Landing Zone service account permissions to manage resources in the customer project
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.update
logging.logEntries.list
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub. topics. detachSubscription
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
resourcemanager.projects.get
securitycenter. assetsecuritymarks. update
securitycenter.findings.list
securitycenter.findings.update
securitycenter.sources.list
securitycenter.sources.update
serviceusage.services.use
Secure Source Manager Service Agent
(roles/ securesourcemanager.serviceAgent
)
Gives Secure Source Manager service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.signJwt
securesourcemanager. instances. access
serviceusage.services.use
Attack Surface Management Scanner Service Agent
(roles/ securitycenter.attackSurfaceManagementScannerServiceAgent
)
Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
apigateway.apiconfigs.get
cloudasset.assets.listResource
dns.managedZones.list
dns.resourceRecordSets.list
resourcemanager.projects.get
Security Center Automation Service Agent
(roles/ securitycenter.automationServiceAgent
)
Security Center automation service agent can configure GCP resources to enable security scanning.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.feeds.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
Security Center Control Service Agent
(roles/ securitycenter.controlServiceAgent
)
Security Center Control service agent can monitor and configure GCP resources and import security findings.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset.feeds.*
cloudsql.instances.connect
cloudsql.users.list
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.get
compute.instances.list
compute. networkEndpointGroups. get
compute.projects.get
container.clusters.get
iam.denypolicies.get
iam.denypolicies.list
iam.googleapis. com/workloadIdentityPoolProviders. list
iam.googleapis. com/workloadIdentityPools. list
logging.logEntries.list
monitoring.alertPolicies.list
monitoring.timeSeries.list
orgpolicy.policies.list
orgpolicy.policy.get
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.list
securitycenter. assetsecuritymarks. update
securitycenter.findings.list
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter.sources.list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. update
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
Security Center Integration Executor Service Agent
(roles/ securitycenter.integrationExecutorServiceAgent
)
Gives Security Center access to execute Integrations.
Warning: Do not grant service agent roles to any principals except
service agents .
integrations. securityExecutions. cancel
integrations. securityExecutions. list
integrations. securityIntegrations. invoke
Security Center Notification Service Agent
(roles/ securitycenter.notificationServiceAgent
)
Security Center service agent can publish notifications to Pub/Sub topics.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
Security Health Analytics Service Agent
(roles/ securitycenter.securityHealthAnalyticsServiceAgent
)
Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset.feeds.*
cloudsql.instances.connect
cloudsql.users.list
compute.globalOperations.get
compute.instances.get
compute.instances.list
compute. networkEndpointGroups. get
compute.projects.get
container.clusters.get
monitoring.alertPolicies.list
orgpolicy.policy.get
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. organizationsettings. get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
Google Cloud Security Response Service Agent
(roles/ securitycenter.securityResponseServiceAgent
)
Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks
Warning: Do not grant service agent roles to any principals except
service agents .
compute. instances. deleteAccessConfig
compute.instances.get
compute.instances.setMetadata
iam.serviceAccounts.actAs
pubsub.topics.publish
securitycenter.findings.list
storage.buckets.get
storage.buckets.update
Security Center Service Agent
(roles/ securitycenter.serviceAgent
)
Security Center service agent can scan GCP resources and import security scans.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset. assets. analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset. assets. analyzeOrgPolicy
cloudasset. assets. exportAccessLevel
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportAiplatformBatchPredictionJobs
cloudasset. assets. exportAiplatformCustomJobs
cloudasset. assets. exportAiplatformDataLabelingJobs
cloudasset. assets. exportAiplatformDatasets
cloudasset. assets. exportAiplatformEndpoints
cloudasset. assets. exportAiplatformHyperparameterTuningJobs
cloudasset. assets. exportAiplatformMetadataStores
cloudasset. assets. exportAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. exportAiplatformModels
cloudasset. assets. exportAiplatformPipelineJobs
cloudasset. assets. exportAiplatformSpecialistPools
cloudasset. assets. exportAiplatformTrainingPipelines
cloudasset. assets. exportAllAccessPolicy
cloudasset. assets. exportAnthosConnectedCluster
cloudasset. assets. exportAnthosedgeCluster
cloudasset. assets. exportApigatewayApi
cloudasset. assets. exportApigatewayApiConfig
cloudasset. assets. exportApigatewayGateway
cloudasset. assets. exportApikeysKeys
cloudasset. assets. exportAppengineApplications
cloudasset. assets. exportAppengineServices
cloudasset. assets. exportAppengineVersions
cloudasset. assets. exportArtifactregistryDockerImages
cloudasset. assets. exportArtifactregistryRepositories
cloudasset. assets. exportAssuredWorkloadsWorkloads
cloudasset. assets. exportBeyondCorpApiGateways
cloudasset. assets. exportBeyondCorpAppConnections
cloudasset. assets. exportBeyondCorpAppConnectors
cloudasset. assets. exportBeyondCorpAppGateways
cloudasset. assets. exportBeyondCorpClientConnectorServices
cloudasset. assets. exportBeyondCorpClientGateways
cloudasset. assets. exportBigqueryDatasets
cloudasset. assets. exportBigqueryModels
cloudasset. assets. exportBigqueryTables
cloudasset. assets. exportBigtableAppProfile
cloudasset. assets. exportBigtableBackup
cloudasset. assets. exportBigtableCluster
cloudasset. assets. exportBigtableInstance
cloudasset. assets. exportBigtableTable
cloudasset. assets. exportCloudAssetFeeds
cloudasset. assets. exportCloudDeployDeliveryPipelines
cloudasset. assets. exportCloudDeployReleases
cloudasset. assets. exportCloudDeployRollouts
cloudasset. assets. exportCloudDeployTargets
cloudasset. assets. exportCloudDocumentAIEvaluation
cloudasset. assets. exportCloudDocumentAIHumanReviewConfig
cloudasset. assets. exportCloudDocumentAILabelerPool
cloudasset. assets. exportCloudDocumentAIProcessor
cloudasset. assets. exportCloudDocumentAIProcessorVersion
cloudasset. assets. exportCloudbillingBillingAccounts
cloudasset. assets. exportCloudbillingProjectBillingInfos
cloudasset. assets. exportCloudfunctionsFunctions
cloudasset. assets. exportCloudfunctionsGen2Functions
cloudasset. assets. exportCloudkmsCryptoKeyVersions
cloudasset. assets. exportCloudkmsCryptoKeys
cloudasset. assets. exportCloudkmsEkmConnections
cloudasset. assets. exportCloudkmsImportJobs
cloudasset. assets. exportCloudkmsKeyRings
cloudasset. assets. exportCloudmemcacheInstances
cloudasset. assets. exportCloudresourcemanagerFolders
cloudasset. assets. exportCloudresourcemanagerOrganizations
cloudasset. assets. exportCloudresourcemanagerProjects
cloudasset. assets. exportCloudresourcemanagerTagBindings
cloudasset. assets. exportCloudresourcemanagerTagKeys
cloudasset. assets. exportCloudresourcemanagerTagValues
cloudasset. assets. exportComposerEnvironments
cloudasset. assets. exportComputeAddress
cloudasset. assets. exportComputeAutoscalers
cloudasset. assets. exportComputeBackendBuckets
cloudasset. assets. exportComputeBackendServices
cloudasset. assets. exportComputeCommitments
cloudasset. assets. exportComputeDisks
cloudasset. assets. exportComputeExternalVpnGateways
cloudasset. assets. exportComputeFirewallPolicies
cloudasset. assets. exportComputeFirewalls
cloudasset. assets. exportComputeForwardingRules
cloudasset. assets. exportComputeGlobalAddress
cloudasset. assets. exportComputeGlobalForwardingRules
cloudasset. assets. exportComputeHealthChecks
cloudasset. assets. exportComputeHttpHealthChecks
cloudasset. assets. exportComputeHttpsHealthChecks
cloudasset. assets. exportComputeImages
cloudasset. assets. exportComputeInstanceGroupManagers
cloudasset. assets. exportComputeInstanceGroups
cloudasset. assets. exportComputeInstanceTemplates
cloudasset. assets. exportComputeInstances
cloudasset. assets. exportComputeInterconnect
cloudasset. assets. exportComputeInterconnectAttachment
cloudasset. assets. exportComputeLicenses
cloudasset. assets. exportComputeNetworkEndpointGroups
cloudasset. assets. exportComputeNetworks
cloudasset. assets. exportComputeNodeGroups
cloudasset. assets. exportComputeNodeTemplates
cloudasset. assets. exportComputePacketMirrorings
cloudasset. assets. exportComputeProjects
cloudasset. assets. exportComputeRegionAutoscaler
cloudasset. assets. exportComputeRegionBackendServices
cloudasset. assets. exportComputeRegionDisk
cloudasset. assets. exportComputeRegionInstanceGroup
cloudasset. assets. exportComputeRegionInstanceGroupManager
cloudasset. assets. exportComputeReservations
cloudasset. assets. exportComputeResourcePolicies
cloudasset. assets. exportComputeRouters
cloudasset. assets. exportComputeRoutes
cloudasset. assets. exportComputeSecurityPolicy
cloudasset. assets. exportComputeServiceAttachments
cloudasset. assets. exportComputeSnapshots
cloudasset. assets. exportComputeSslCertificates
cloudasset. assets. exportComputeSslPolicies
cloudasset. assets. exportComputeSubnetworks
cloudasset. assets. exportComputeTargetHttpProxies
cloudasset. assets. exportComputeTargetHttpsProxies
cloudasset. assets. exportComputeTargetInstances
cloudasset. assets. exportComputeTargetPools
cloudasset. assets. exportComputeTargetSslProxies
cloudasset. assets. exportComputeTargetTcpProxies
cloudasset. assets. exportComputeTargetVpnGateways
cloudasset. assets. exportComputeUrlMaps
cloudasset. assets. exportComputeVpnGateways
cloudasset. assets. exportComputeVpnTunnels
cloudasset. assets. exportConnectorsConnections
cloudasset. assets. exportConnectorsConnectorVersions
cloudasset. assets. exportConnectorsConnectors
cloudasset. assets. exportConnectorsProviders
cloudasset. assets. exportConnectorsRuntimeConfigs
cloudasset. assets. exportContainerAppsDeployment
cloudasset. assets. exportContainerAppsReplicaSets
cloudasset. assets. exportContainerBatchJobs
cloudasset. assets. exportContainerClusterrole
cloudasset. assets. exportContainerClusterrolebinding
cloudasset. assets. exportContainerClusters
cloudasset. assets. exportContainerExtensionsIngresses
cloudasset. assets. exportContainerJobs
cloudasset. assets. exportContainerNamespace
cloudasset. assets. exportContainerNetworkingIngresses
cloudasset. assets. exportContainerNetworkingNetworkPolicies
cloudasset. assets. exportContainerNode
cloudasset. assets. exportContainerNodepool
cloudasset. assets. exportContainerPod
cloudasset. assets. exportContainerReplicaSets
cloudasset. assets. exportContainerRole
cloudasset. assets. exportContainerRolebinding
cloudasset. assets. exportContainerServices
cloudasset. assets. exportContainerregistryImage
cloudasset. assets. exportDataMigrationConnectionProfiles
cloudasset. assets. exportDataMigrationMigrationJobs
cloudasset. assets. exportDataflowJobs
cloudasset. assets. exportDatafusionInstance
cloudasset. assets. exportDataplexAssets
cloudasset. assets. exportDataplexLakes
cloudasset. assets. exportDataplexTasks
cloudasset. assets. exportDataplexZones
cloudasset. assets. exportDataprocAutoscalingPolicies
cloudasset. assets. exportDataprocBatches
cloudasset. assets. exportDataprocClusters
cloudasset. assets. exportDataprocJobs
cloudasset. assets. exportDataprocSessions
cloudasset. assets. exportDataprocWorkflowTemplates
cloudasset. assets. exportDatastreamConnectionProfile
cloudasset. assets. exportDatastreamPrivateConnection
cloudasset. assets. exportDatastreamStream
cloudasset. assets. exportDialogflowAgents
cloudasset. assets. exportDialogflowConversationProfiles
cloudasset. assets. exportDialogflowKnowledgeBases
cloudasset. assets. exportDialogflowLocationSettings
cloudasset. assets. exportDlpDeidentifyTemplates
cloudasset. assets. exportDlpDlpJobs
cloudasset. assets. exportDlpInspectTemplates
cloudasset. assets. exportDlpJobTriggers
cloudasset. assets. exportDlpStoredInfoTypes
cloudasset. assets. exportDnsManagedZones
cloudasset. assets. exportDnsPolicies
cloudasset. assets. exportDomainsRegistrations
cloudasset. assets. exportEventarcTriggers
cloudasset. assets. exportFileBackups
cloudasset. assets. exportFileInstances
cloudasset. assets. exportFirebaseAppInfos
cloudasset. assets. exportFirebaseProjects
cloudasset. assets. exportFirestoreDatabases
cloudasset. assets. exportGKEHubFeatures
cloudasset. assets. exportGKEHubMemberships
cloudasset. assets. exportGameservicesGameServerClusters
cloudasset. assets. exportGameservicesGameServerConfigs
cloudasset. assets. exportGameservicesGameServerDeployments
cloudasset. assets. exportGameservicesRealms
cloudasset. assets. exportGkeBackupBackupPlans
cloudasset. assets. exportGkeBackupBackups
cloudasset. assets. exportGkeBackupRestorePlans
cloudasset. assets. exportGkeBackupRestores
cloudasset. assets. exportGkeBackupVolumeBackups
cloudasset. assets. exportGkeBackupVolumeRestores
cloudasset. assets. exportHealthcareConsentStores
cloudasset. assets. exportHealthcareDatasets
cloudasset. assets. exportHealthcareDicomStores
cloudasset. assets. exportHealthcareFhirStores
cloudasset. assets. exportHealthcareHl7V2Stores
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportIamRoles
cloudasset. assets. exportIamServiceAccountKeys
cloudasset. assets. exportIamServiceAccounts
cloudasset. assets. exportIapTunnel
cloudasset. assets. exportIapTunnelInstances
cloudasset. assets. exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset. assets. exportIapWebServiceVersion
cloudasset. assets. exportIapWebServices
cloudasset. assets. exportIapWebType
cloudasset. assets. exportIdsEndpoints
cloudasset. assets. exportIntegrationsAuthConfigs
cloudasset. assets. exportIntegrationsCertificates
cloudasset. assets. exportIntegrationsExecutions
cloudasset. assets. exportIntegrationsIntegrationVersions
cloudasset. assets. exportIntegrationsIntegrations
cloudasset. assets. exportIntegrationsSfdcChannels
cloudasset. assets. exportIntegrationsSfdcInstances
cloudasset. assets. exportIntegrationsSuspensions
cloudasset. assets. exportLoggingLogMetrics
cloudasset. assets. exportLoggingLogSinks
cloudasset. assets. exportManagedidentitiesDomain
cloudasset. assets. exportMetastoreBackups
cloudasset. assets. exportMetastoreMetadataImports
cloudasset. assets. exportMetastoreServices
cloudasset. assets. exportMonitoringAlertPolicies
cloudasset. assets. exportNetworkConnectivityHubs
cloudasset. assets. exportNetworkConnectivitySpokes
cloudasset. assets. exportNetworkManagementConnectivityTests
cloudasset. assets. exportNetworkServicesEndpointPolicies
cloudasset. assets. exportNetworkServicesGateways
cloudasset. assets. exportNetworkServicesGrpcRoutes
cloudasset. assets. exportNetworkServicesHttpRoutes
cloudasset. assets. exportNetworkServicesMeshes
cloudasset. assets. exportNetworkServicesServiceBindings
cloudasset. assets. exportNetworkServicesTcpRoutes
cloudasset. assets. exportNetworkServicesTlsRoutes
cloudasset. assets. exportOSConfigOSPolicyAssignmentReports
cloudasset. assets. exportOSConfigOSPolicyAssignments
cloudasset. assets. exportOSConfigVulnerabilityReports
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportPatchDeployments
cloudasset. assets. exportPubsubSnapshots
cloudasset. assets. exportPubsubSubscriptions
cloudasset. assets. exportPubsubTopics
cloudasset. assets. exportRedisInstances
cloudasset. assets. exportResource
cloudasset. assets. exportSecretManagerSecretVersions
cloudasset. assets. exportSecretManagerSecrets
cloudasset. assets. exportServiceDirectoryNamespaces
cloudasset. assets. exportServicePerimeter
cloudasset. assets. exportServiceconsumermanagementConsumerProperty
cloudasset. assets. exportServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. exportServiceconsumermanagementConsumers
cloudasset. assets. exportServiceconsumermanagementProducerOverrides
cloudasset. assets. exportServiceconsumermanagementTenancyUnits
cloudasset. assets. exportServiceconsumermanagementVisibility
cloudasset. assets. exportServicemanagementServices
cloudasset. assets. exportServiceusageAdminOverrides
cloudasset. assets. exportServiceusageConsumerOverrides
cloudasset. assets. exportServiceusageServices
cloudasset. assets. exportSpannerBackups
cloudasset. assets. exportSpannerDatabases
cloudasset. assets. exportSpannerInstances
cloudasset. assets. exportSpeakerIdPhrases
cloudasset. assets. exportSpeakerIdSettings
cloudasset. assets. exportSpeakerIdSpeakers
cloudasset. assets. exportSpeechCustomClasses
cloudasset. assets. exportSpeechPhraseSets
cloudasset. assets. exportSqladminBackupRuns
cloudasset. assets. exportSqladminInstances
cloudasset. assets. exportStorageBuckets
cloudasset. assets. exportTpuNodes
cloudasset. assets. exportVpcaccessConnector
cloudasset. assets. listAccessLevel
cloudasset. assets. listAccessPolicy
cloudasset. assets. listAiplatformBatchPredictionJobs
cloudasset. assets. listAiplatformCustomJobs
cloudasset. assets. listAiplatformDataLabelingJobs
cloudasset. assets. listAiplatformDatasets
cloudasset. assets. listAiplatformEndpoints
cloudasset. assets. listAiplatformHyperparameterTuningJobs
cloudasset. assets. listAiplatformMetadataStores
cloudasset. assets. listAiplatformModelDeploymentMonitoringJobs
cloudasset. assets. listAiplatformModels
cloudasset. assets. listAiplatformPipelineJobs
cloudasset. assets. listAiplatformSpecialistPools
cloudasset. assets. listAiplatformTrainingPipelines
cloudasset. assets. listAllAccessPolicy
cloudasset. assets. listAnthosConnectedCluster
cloudasset. assets. listAnthosedgeCluster
cloudasset. assets. listApigatewayApi
cloudasset. assets. listApigatewayApiConfig
cloudasset. assets. listApigatewayGateway
cloudasset. assets. listApikeysKeys
cloudasset. assets. listAppengineApplications
cloudasset. assets. listAppengineServices
cloudasset. assets. listAppengineVersions
cloudasset. assets. listArtifactregistryDockerImages
cloudasset. assets. listArtifactregistryRepositories
cloudasset. assets. listAssuredWorkloadsWorkloads
cloudasset. assets. listBeyondCorpApiGateways
cloudasset. assets. listBeyondCorpAppConnections
cloudasset. assets. listBeyondCorpAppConnectors
cloudasset. assets. listBeyondCorpAppGateways
cloudasset. assets. listBeyondCorpClientConnectorServices
cloudasset. assets. listBeyondCorpClientGateways
cloudasset. assets. listBigqueryDatasets
cloudasset. assets. listBigqueryModels
cloudasset. assets. listBigqueryTables
cloudasset. assets. listBigtableAppProfile
cloudasset. assets. listBigtableBackup
cloudasset. assets. listBigtableCluster
cloudasset. assets. listBigtableInstance
cloudasset. assets. listBigtableTable
cloudasset. assets. listCloudAssetFeeds
cloudasset. assets. listCloudDeployDeliveryPipelines
cloudasset. assets. listCloudDeployReleases
cloudasset. assets. listCloudDeployRollouts
cloudasset. assets. listCloudDeployTargets
cloudasset. assets. listCloudDocumentAIEvaluation
cloudasset. assets. listCloudDocumentAIHumanReviewConfig
cloudasset. assets. listCloudDocumentAILabelerPool
cloudasset. assets. listCloudDocumentAIProcessor
cloudasset. assets. listCloudDocumentAIProcessorVersion
cloudasset. assets. listCloudbillingBillingAccounts
cloudasset. assets. listCloudbillingProjectBillingInfos
cloudasset. assets. listCloudfunctionsFunctions
cloudasset. assets. listCloudfunctionsGen2Functions
cloudasset. assets. listCloudkmsCryptoKeyVersions
cloudasset. assets. listCloudkmsCryptoKeys
cloudasset. assets. listCloudkmsEkmConnections
cloudasset. assets. listCloudkmsImportJobs
cloudasset. assets. listCloudkmsKeyRings
cloudasset. assets. listCloudmemcacheInstances
cloudasset. assets. listCloudresourcemanagerFolders
cloudasset. assets. listCloudresourcemanagerOrganizations
cloudasset. assets. listCloudresourcemanagerProjects
cloudasset. assets. listCloudresourcemanagerTagBindings
cloudasset. assets. listCloudresourcemanagerTagKeys
cloudasset. assets. listCloudresourcemanagerTagValues
cloudasset. assets. listComposerEnvironments
cloudasset. assets. listComputeAddress
cloudasset. assets. listComputeAutoscalers
cloudasset. assets. listComputeBackendBuckets
cloudasset. assets. listComputeBackendServices
cloudasset. assets. listComputeCommitments
cloudasset. assets. listComputeDisks
cloudasset. assets. listComputeExternalVpnGateways
cloudasset. assets. listComputeFirewallPolicies
cloudasset. assets. listComputeFirewalls
cloudasset. assets. listComputeForwardingRules
cloudasset. assets. listComputeGlobalAddress
cloudasset. assets. listComputeGlobalForwardingRules
cloudasset. assets. listComputeHealthChecks
cloudasset. assets. listComputeHttpHealthChecks
cloudasset. assets. listComputeHttpsHealthChecks
cloudasset. assets. listComputeImages
cloudasset. assets. listComputeInstanceGroupManagers
cloudasset. assets. listComputeInstanceGroups
cloudasset. assets. listComputeInstanceTemplates
cloudasset. assets. listComputeInstances
cloudasset. assets. listComputeInterconnect
cloudasset. assets. listComputeInterconnectAttachment
cloudasset. assets. listComputeLicenses
cloudasset. assets. listComputeNetworkEndpointGroups
cloudasset. assets. listComputeNetworks
cloudasset. assets. listComputeNodeGroups
cloudasset. assets. listComputeNodeTemplates
cloudasset. assets. listComputePacketMirrorings
cloudasset. assets. listComputeProjects
cloudasset. assets. listComputeRegionAutoscaler
cloudasset. assets. listComputeRegionBackendServices
cloudasset. assets. listComputeRegionDisk
cloudasset. assets. listComputeRegionInstanceGroup
cloudasset. assets. listComputeRegionInstanceGroupManager
cloudasset. assets. listComputeReservations
cloudasset. assets. listComputeResourcePolicies
cloudasset. assets. listComputeRouters
cloudasset. assets. listComputeRoutes
cloudasset. assets. listComputeSecurityPolicy
cloudasset. assets. listComputeServiceAttachments
cloudasset. assets. listComputeSnapshots
cloudasset. assets. listComputeSslCertificates
cloudasset. assets. listComputeSslPolicies
cloudasset. assets. listComputeSubnetworks
cloudasset. assets. listComputeTargetHttpProxies
cloudasset. assets. listComputeTargetHttpsProxies
cloudasset. assets. listComputeTargetInstances
cloudasset. assets. listComputeTargetPools
cloudasset. assets. listComputeTargetSslProxies
cloudasset. assets. listComputeTargetTcpProxies
cloudasset. assets. listComputeTargetVpnGateways
cloudasset. assets. listComputeUrlMaps
cloudasset. assets. listComputeVpnGateways
cloudasset. assets. listComputeVpnTunnels
cloudasset. assets. listConnectorsConnections
cloudasset. assets. listConnectorsConnectorVersions
cloudasset. assets. listConnectorsConnectors
cloudasset. assets. listConnectorsProviders
cloudasset. assets. listConnectorsRuntimeConfigs
cloudasset. assets. listContainerAppsDeployment
cloudasset. assets. listContainerAppsReplicaSets
cloudasset. assets. listContainerBatchJobs
cloudasset. assets. listContainerClusterrole
cloudasset. assets. listContainerClusterrolebinding
cloudasset. assets. listContainerClusters
cloudasset. assets. listContainerExtensionsIngresses
cloudasset. assets. listContainerJobs
cloudasset. assets. listContainerNamespace
cloudasset. assets. listContainerNetworkingIngresses
cloudasset. assets. listContainerNetworkingNetworkPolicies
cloudasset. assets. listContainerNode
cloudasset. assets. listContainerNodepool
cloudasset. assets. listContainerPod
cloudasset. assets. listContainerReplicaSets
cloudasset. assets. listContainerRole
cloudasset. assets. listContainerRolebinding
cloudasset. assets. listContainerServices
cloudasset. assets. listContainerregistryImage
cloudasset. assets. listDataMigrationConnectionProfiles
cloudasset. assets. listDataMigrationMigrationJobs
cloudasset. assets. listDataflowJobs
cloudasset. assets. listDatafusionInstance
cloudasset. assets. listDataplexAssets
cloudasset. assets. listDataplexLakes
cloudasset. assets. listDataplexTasks
cloudasset. assets. listDataplexZones
cloudasset. assets. listDataprocAutoscalingPolicies
cloudasset. assets. listDataprocBatches
cloudasset. assets. listDataprocClusters
cloudasset. assets. listDataprocJobs
cloudasset. assets. listDataprocSessions
cloudasset. assets. listDataprocWorkflowTemplates
cloudasset. assets. listDatastreamConnectionProfile
cloudasset. assets. listDatastreamPrivateConnection
cloudasset. assets. listDatastreamStream
cloudasset. assets. listDialogflowAgents
cloudasset. assets. listDialogflowConversationProfiles
cloudasset. assets. listDialogflowKnowledgeBases
cloudasset. assets. listDialogflowLocationSettings
cloudasset. assets. listDlpDeidentifyTemplates
cloudasset. assets. listDlpDlpJobs
cloudasset. assets. listDlpInspectTemplates
cloudasset. assets. listDlpJobTriggers
cloudasset. assets. listDlpStoredInfoTypes
cloudasset. assets. listDnsManagedZones
cloudasset. assets. listDnsPolicies
cloudasset. assets. listDomainsRegistrations
cloudasset. assets. listEventarcTriggers
cloudasset. assets. listFileBackups
cloudasset. assets. listFileInstances
cloudasset. assets. listFirebaseAppInfos
cloudasset. assets. listFirebaseProjects
cloudasset. assets. listFirestoreDatabases
cloudasset. assets. listGKEHubFeatures
cloudasset. assets. listGKEHubMemberships
cloudasset. assets. listGameservicesGameServerClusters
cloudasset. assets. listGameservicesGameServerConfigs
cloudasset. assets. listGameservicesGameServerDeployments
cloudasset. assets. listGameservicesRealms
cloudasset. assets. listGkeBackupBackupPlans
cloudasset. assets. listGkeBackupBackups
cloudasset. assets. listGkeBackupRestorePlans
cloudasset. assets. listGkeBackupRestores
cloudasset. assets. listGkeBackupVolumeBackups
cloudasset. assets. listGkeBackupVolumeRestores
cloudasset. assets. listHealthcareConsentStores
cloudasset. assets. listHealthcareDatasets
cloudasset. assets. listHealthcareDicomStores
cloudasset. assets. listHealthcareFhirStores
cloudasset. assets. listHealthcareHl7V2Stores
cloudasset. assets. listIamPolicy
cloudasset.assets.listIamRoles
cloudasset. assets. listIamServiceAccountKeys
cloudasset. assets. listIamServiceAccounts
cloudasset. assets. listIapTunnel
cloudasset. assets. listIapTunnelInstances
cloudasset. assets. listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset. assets. listIapWebServiceVersion
cloudasset. assets. listIapWebServices
cloudasset. assets. listIapWebType
cloudasset. assets. listIdsEndpoints
cloudasset. assets. listIntegrationsAuthConfigs
cloudasset. assets. listIntegrationsCertificates
cloudasset. assets. listIntegrationsExecutions
cloudasset. assets. listIntegrationsIntegrationVersions
cloudasset. assets. listIntegrationsIntegrations
cloudasset. assets. listIntegrationsSfdcChannels
cloudasset. assets. listIntegrationsSfdcInstances
cloudasset. assets. listIntegrationsSuspensions
cloudasset. assets. listLoggingLogMetrics
cloudasset. assets. listLoggingLogSinks
cloudasset. assets. listManagedidentitiesDomain
cloudasset. assets. listMetastoreBackups
cloudasset. assets. listMetastoreMetadataImports
cloudasset. assets. listMetastoreServices
cloudasset. assets. listMonitoringAlertPolicies
cloudasset. assets. listNetworkConnectivityHubs
cloudasset. assets. listNetworkConnectivitySpokes
cloudasset. assets. listNetworkManagementConnectivityTests
cloudasset. assets. listNetworkServicesEndpointPolicies
cloudasset. assets. listNetworkServicesGateways
cloudasset. assets. listNetworkServicesGrpcRoutes
cloudasset. assets. listNetworkServicesHttpRoutes
cloudasset. assets. listNetworkServicesMeshes
cloudasset. assets. listNetworkServicesServiceBindings
cloudasset. assets. listNetworkServicesTcpRoutes
cloudasset. assets. listNetworkServicesTlsRoutes
cloudasset. assets. listOSConfigOSPolicyAssignmentReports
cloudasset. assets. listOSConfigOSPolicyAssignments
cloudasset. assets. listOSConfigVulnerabilityReports
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset. assets. listPatchDeployments
cloudasset. assets. listPubsubSnapshots
cloudasset. assets. listPubsubSubscriptions
cloudasset. assets. listPubsubTopics
cloudasset. assets. listRedisInstances
cloudasset.assets.listResource
cloudasset. assets. listRunDomainMapping
cloudasset. assets. listRunRevision
cloudasset. assets. listRunService
cloudasset. assets. listSecretManagerSecretVersions
cloudasset. assets. listSecretManagerSecrets
cloudasset. assets. listServiceDirectoryNamespaces
cloudasset. assets. listServicePerimeter
cloudasset. assets. listServiceconsumermanagementConsumerProperty
cloudasset. assets. listServiceconsumermanagementConsumerQuotaLimits
cloudasset. assets. listServiceconsumermanagementConsumers
cloudasset. assets. listServiceconsumermanagementProducerOverrides
cloudasset. assets. listServiceconsumermanagementTenancyUnits
cloudasset. assets. listServiceconsumermanagementVisibility
cloudasset. assets. listServicemanagementServices
cloudasset. assets. listServiceusageAdminOverrides
cloudasset. assets. listServiceusageConsumerOverrides
cloudasset. assets. listServiceusageServices
cloudasset. assets. listSpannerBackups
cloudasset. assets. listSpannerDatabases
cloudasset. assets. listSpannerInstances
cloudasset. assets. listSpeakerIdPhrases
cloudasset. assets. listSpeakerIdSettings
cloudasset. assets. listSpeakerIdSpeakers
cloudasset. assets. listSpeechCustomClasses
cloudasset. assets. listSpeechPhraseSets
cloudasset. assets. listSqladminBackupRuns
cloudasset. assets. listSqladminInstances
cloudasset. assets. listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset. assets. listVpcaccessConnector
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudasset.feeds.*
cloudsql.instances.connect
cloudsql.users.list
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.get
compute.instances.list
compute. networkEndpointGroups. get
compute.projects.get
container.clusters.get
iam.denypolicies.get
iam.denypolicies.list
iam.googleapis. com/workloadIdentityPoolProviders. list
iam.googleapis. com/workloadIdentityPools. list
logging.logEntries.list
monitoring.alertPolicies.list
monitoring.timeSeries.list
orgpolicy.policies.list
orgpolicy.policy.get
recommender. cloudAssetInsights. get
recommender. cloudAssetInsights. list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.list
securitycenter. assetsecuritymarks. update
securitycenter.findings.list
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter.sources.list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. update
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
Service Directory Service Agent
(roles/ servicedirectory.serviceAgent
)
Give the Service Directory service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
gkehub.features.get
gkehub.gateway.delete
gkehub. gateway. generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. endpoints. create
servicedirectory. endpoints. delete
servicedirectory.endpoints.get
servicedirectory. endpoints. getIamPolicy
servicedirectory. endpoints. list
servicedirectory. endpoints. update
servicedirectory.locations.*
servicedirectory. namespaces. associatePrivateZone
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. namespaces. get
servicedirectory. namespaces. getIamPolicy
servicedirectory. namespaces. list
servicedirectory. namespaces. update
servicedirectory. networks. attach
servicedirectory.services.bind
servicedirectory. services. create
servicedirectory. services. delete
servicedirectory.services.get
servicedirectory. services. getIamPolicy
servicedirectory.services.list
servicedirectory. services. resolve
servicedirectory. services. update
Service Networking Service Agent
(roles/ servicenetworking.serviceAgent
)
Gives permission to manage network configuration, such as establishing network peering, necessary for service producers
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.list
compute. networks. listPeeringRoutes
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.routers.list
compute.routes.list
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
networkconnectivity. internalRanges. list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Source Repositories Service Agent
(roles/ sourcerepo.serviceAgent
)
Allow Cloud Source Repositories to integrate with other Cloud services.
Warning: Do not grant service agent roles to any principals except
service agents .
iam. serviceAccounts. getAccessToken
pubsub.topics.publish
Cloud Spanner API Service Agent
(roles/ spanner.serviceAgent
)
Cloud Spanner API Service Agent
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.models.get
aiplatform.models.list
Spectrum SAS Service Agent
(roles/ spectrumsas.serviceAgent
)
Gives Spectrum SAS Service Account access to enable analytics on behalf of users.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.jobs.create
bigquery.tables.create
bigquery.tables.updateData
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub. topics. detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Speech-to-Text Service Agent
(roles/ speech.serviceAgent
)
Gives Speech-to-Text service account access to Cloud Storage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
StorageInsights Service Agent
(roles/ storageinsights.serviceAgent
)
Permissions for Insights to write reports into customer project
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
serviceusage.services.use
storageinsights. reportDetails. list
Storage Transfer Service Agent
(roles/ storagetransfer.serviceAgent
)
Grants Storage Transfer Service Agent permissions required to run transfers
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.publish
pubsub.topics.update
Stream Service Agent
(roles/ stream.serviceAgent
)
Gives Immersive Stream for XR access to the required resources.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Cloud TPU API Service Agent
(roles/ tpu.serviceAgent
)
Give Cloud TPUs service account access to managed resources
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Transcoder Service Agent
(roles/ transcoder.serviceAgent
)
Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.delete
Cloud Vision AI Service Agent
(roles/ visionai.serviceAgent
)
Grants Cloud Vision AI service account permissions to manage resources in consumer project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
aiplatform.models.export
aiplatform.models.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.export
bigquery.readsessions.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
cloudfunctions.functions.get
cloudfunctions. functions. invoke
cloudfunctions.functions.list
compute.machineTypes.get
logging.logEntries.create
monitoring. metricDescriptors. create
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
run.jobs.run
run.routes.invoke
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.list
visionai.analyses.update
visionai.annotations.*
visionai.applications.*
visionai.assets.*
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.list
visionai.clusters.update
visionai.clusters.watch
visionai.corpora.*
visionai.dataSchemas.*
visionai.drafts.*
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.list
visionai.events.update
visionai.indexEndpoints.*
visionai.indexes.*
visionai.instances.*
visionai.operations.get
visionai.operations.list
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.list
visionai.operators.update
visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.update
visionai.searchConfigs.*
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.update
visionai.uistreams.*
Visual Inspection AI Service Agent
(roles/ visualinspection.serviceAgent
)
Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.*
artifactregistry. aptartifacts. create
artifactregistry.attachments.*
artifactregistry. dockerimages.*
artifactregistry.files.*
artifactregistry. kfpartifacts. create
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry. projectsettings.*
artifactregistry. pythonpackages.*
artifactregistry. repositories. create
artifactregistry. repositories. createTagBinding
artifactregistry. repositories. delete
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. deleteTagBinding
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. getIamPolicy
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry. repositories. setIamPolicy
artifactregistry. repositories. update
artifactregistry. repositories. uploadArtifacts
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry. yumartifacts. create
firebase.projects.get
orgpolicy.policy.get
recommender. iamPolicyInsights.*
recommender. iamPolicyRecommendations.*
recommender. storageBucketSoftDeleteInsights.*
recommender. storageBucketSoftDeleteRecommendations.*
resourcemanager. hierarchyNodes. listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
VM Migration Service Agent
(roles/ vmmigration.serviceAgent
)
Grants VM Migration Service Account access to create migrated VMs, disks and images in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.globalOperations.list
compute.images.create
compute.images.get
compute.images.setLabels
compute.images.useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute.instances.stop
compute.instances.update
compute.instances.useReadOnly
compute.machineImages.create
compute.machineImages.get
compute.machineTypes.list
compute.networks.use
compute.networks.useExternalIp
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.list
VMware Engine Service Agent
(roles/ vmwareengine.serviceAgent
)
Gives permission to manage network configuration, such as establishing network peering, necessary for GCVE
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute. networks. listPeeringRoutes
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.routers.list
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine. externalAddresses. get
vmwareengine. externalAddresses. list
vmwareengine.nodes.*
Serverless VPC Access Service Agent
(roles/ vpcaccess.serviceAgent
)
Can create and manage resources to support serverless application to connect to virtual private cloud.
Warning: Do not grant service agent roles to any principals except
service agents .
billing.accounts.get
compute.autoscalers.*
compute.disks.create
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute. healthChecks. useReadOnly
compute. httpHealthChecks. create
compute. httpHealthChecks. delete
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.use
compute. httpHealthChecks. useReadOnly
compute. httpsHealthChecks. create
compute. httpsHealthChecks. delete
compute.httpsHealthChecks.get
compute. httpsHealthChecks. update
compute.httpsHealthChecks.use
compute. httpsHealthChecks. useReadOnly
compute.images.get
compute.images.useReadOnly
compute. instanceGroupManagers. create
compute. instanceGroupManagers. delete
compute. instanceGroupManagers. get
compute. instanceGroupManagers. update
compute. instanceGroupManagers. use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute. instanceTemplates. create
compute. instanceTemplates. delete
compute.instanceTemplates.get
compute. instanceTemplates. useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute. instances. getGuestAttributes
compute.instances.list
compute.instances.reset
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.use
compute.machineTypes.get
compute.networks.get
compute.networks.use
compute.projects.get
compute. projects. setCommonInstanceMetadata
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
deploymentmanager. compositeTypes. get
deploymentmanager. deployments. create
deploymentmanager. deployments. delete
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager. deployments. update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager. typeProviders. create
deploymentmanager. typeProviders. get
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
resourcemanager.projects.get
Cloud Web Security Scanner Service Agent
(roles/ websecurityscanner.serviceAgent
)
Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
cloudasset.assets.listResource
compute.addresses.list
compute.backendServices.get
compute.forwardingRules.get
compute. globalForwardingRules. get
compute.sslCertificates.list
compute.targetHttpProxies.get
compute.targetHttpsProxies.get
compute.urlMaps.get
Cloud Workflows Service Agent
(roles/ workflows.serviceAgent
)
Gives Cloud Workflows service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.get
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
serviceusage.services.use
Workload Certificate Service Agent
(roles/ workloadcertificate.serviceAgent
)
Gives the Workload Certificate service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container. clusterRoleBindings. get
container. clusterRoleBindings. list
container.clusters.get
container.clusters.update
container. customResourceDefinitions. create
container. customResourceDefinitions. get
container. customResourceDefinitions. list
container.operations.get
container. thirdPartyObjects. update
gkehub.features.get
gkehub.fleet.create
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
gkehub.operations.get
serviceconsumermanagement. tenancyu. addResource
serviceconsumermanagement. tenancyu. create
serviceconsumermanagement. tenancyu. delete
serviceconsumermanagement. tenancyu. removeResource
serviceusage.services.use
workloadcertificate. workloadCertificateFeature. get
workloadcertificate. workloadRegistrations. list
Workload Manager Service Agent
(roles/ workloadmanager.serviceAgent
)
Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset. assets. exportAccessPolicy
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportOrgPolicy
cloudasset. assets. exportResource
cloudasset. assets. listAccessPolicy
cloudasset. assets. listIamPolicy
cloudasset. assets. listOSInventories
cloudasset. assets. listOrgPolicy
cloudasset.assets.listResource
cloudasset. assets. searchAllResources
config.deployments.create
config.deployments.delete
config.deployments.get
config.deployments.list
config.deployments.update
config.locations.*
config.operations.*
config.resources.list
config.revisions.get
config.revisions.list
monitoring. metricDescriptors. get
monitoring. metricDescriptors. list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.list
serviceusage.services.use
workloadmanager. insights. export
workloadmanager. insights. listSapSystems
Workstations Service Agent
(roles/ workstations.serviceAgent
)
Grants the Workstations Service Account access to manage resources in consumer project.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.create
compute. addresses. createInternal
compute.addresses.delete
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.use
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute. forwardingRules. pscCreate
compute. forwardingRules. pscDelete
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute. instances. deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute. instances. getGuestAttributes
compute.instances.setLabels
compute.instances.setMetadata
compute. instances. setServiceAccount
compute.instances.setTags
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.regions.get
compute.snapshots.create
compute. snapshots. createTagBinding
compute.snapshots.delete
compute. snapshots. deleteTagBinding
compute.snapshots.get
compute. snapshots. listTagBindings
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute.zoneOperations.get
dns. networks. bindPrivateDNSZone
dns. networks. targetWithPeeringZone
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager. tagValueBindings.*
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. services. create
servicedirectory. services. delete
serviceusage.services.get
Service Consumer Management roles
Permissions
Admin of Tenancy Units
Beta
(roles/ serviceconsumermanagement.tenancyUnitsAdmin
)
Administrate tenancy units
serviceconsumermanagement. tenancyu.*
Viewer of Tenancy Units
Beta
(roles/ serviceconsumermanagement.tenancyUnitsViewer
)
View tenancy units
serviceconsumermanagement. tenancyu. list
Service Directory roles
Permissions
Service Directory Admin
(roles/ servicedirectory.admin
)
Full control of all Service Directory resources and permissions.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.*
servicedirectory.locations.*
servicedirectory.namespaces.*
servicedirectory. networks. attach
servicedirectory.services.*
Service Directory Editor
(roles/ servicedirectory.editor
)
Edit Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. endpoints. create
servicedirectory. endpoints. delete
servicedirectory.endpoints.get
servicedirectory. endpoints. getIamPolicy
servicedirectory. endpoints. list
servicedirectory. endpoints. update
servicedirectory.locations.*
servicedirectory. namespaces. associatePrivateZone
servicedirectory. namespaces. create
servicedirectory. namespaces. delete
servicedirectory. namespaces. get
servicedirectory. namespaces. getIamPolicy
servicedirectory. namespaces. list
servicedirectory. namespaces. update
servicedirectory. networks. attach
servicedirectory.services.bind
servicedirectory. services. create
servicedirectory. services. delete
servicedirectory.services.get
servicedirectory. services. getIamPolicy
servicedirectory.services.list
servicedirectory. services. resolve
servicedirectory. services. update
Service Directory Network Attacher
(roles/ servicedirectory.networkAttacher
)
Gives access to attach VPC Networks to Service Directory Endpoints
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. networks. attach
Private Service Connect Authorized Service
(roles/ servicedirectory.pscAuthorizedService
)
Gives access to VPC Networks via Service Directory
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory. networks. access
Service Directory Viewer
(roles/ servicedirectory.viewer
)
View Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.get
servicedirectory. endpoints. getIamPolicy
servicedirectory. endpoints. list
servicedirectory.locations.*
servicedirectory. namespaces. get
servicedirectory. namespaces. getIamPolicy
servicedirectory. namespaces. list
servicedirectory.services.get
servicedirectory. services. getIamPolicy
servicedirectory.services.list
servicedirectory. services. resolve
Service Management roles
Permissions
Cloud Run Service Agent
(roles/ serverless.serviceAgent
)
Gives Cloud Run service account access to managed resources.
artifactregistry. attachments. get
artifactregistry. attachments. list
artifactregistry. dockerimages.*
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry. mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
binaryauthorization. platformPolicies. evaluatePolicy
binaryauthorization. policy. evaluatePolicy
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
compute. addresses. createInternal
compute. addresses. deleteInternal
compute.addresses.get
compute.addresses.list
compute.globalOperations.get
compute.networks.access
compute.networks.get
compute.subnetworks.get
compute.subnetworks.use
iam.serviceAccounts.actAs
iam. serviceAccounts. getAccessToken
iam. serviceAccounts. getOpenIdToken
iam.serviceAccounts.signBlob
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
run.routes.invoke
serviceusage.services.use
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use
Service Management Administrator
(roles/ servicemanagement.admin
)
Full control of Google Service Management resources.
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.*
serviceusage.quotas.get
serviceusage.services.get
Service Config Editor
(roles/ servicemanagement.configEditor
)
Access to update the service config and create rollouts.
servicemanagement.services.get
servicemanagement. services. update
Quota Administrator
Beta
(roles/ servicemanagement.quotaAdmin
)
Provides access to administer service quotas.
Lowest-level resources where you can grant this role:
cloudquotas.*
monitoring.alertPolicies.*
monitoring.timeSeries.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Quota Viewer
Beta
(roles/ servicemanagement.quotaViewer
)
Provides access to view service quotas.
Lowest-level resources where you can grant this role:
cloudquotas.quotas.get
monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Service Reporter
(roles/ servicemanagement.reporter
)
Can report usage of a service during runtime.
servicemanagement. services. report
Service Consumer
(roles/ servicemanagement.serviceConsumer
)
Can enable the service.
servicemanagement. services. bind
Service Controller
(roles/ servicemanagement.serviceController
)
Can check preconditions and report usage of a service during runtime.
Lowest-level resources where you can grant this role:
servicemanagement. services. check
servicemanagement.services.get
servicemanagement. services. quota
servicemanagement. services. report
Service Networking roles
Permissions
Service Networking Admin
Beta
(roles/ servicenetworking.networksAdmin
)
Full control of service networking with projects.
servicenetworking.*
Service Usage roles
Permissions
API Keys Admin
(roles/ serviceusage.apiKeysAdmin
)
Ability to create, delete, update, get and list API keys for a project.
apikeys.*
orgpolicy.policy.get
serviceusage.apiKeys.*
API Keys Viewer
(roles/ serviceusage.apiKeysViewer
)
Ability to get and list API keys for a project.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
Service Usage Admin
(roles/ serviceusage.serviceUsageAdmin
)
Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
monitoring.timeSeries.list
serviceusage.quotas.*
serviceusage.services.*
Service Usage Consumer
(roles/ serviceusage.serviceUsageConsumer
)
Ability to inspect service states and operations, and consume quota and billing for a consumer project.
monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Service Usage Viewer
(roles/ serviceusage.serviceUsageViewer
)
Ability to inspect service states and operations for a consumer project.
monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Source roles
Permissions
Source Repository Administrator
(roles/ source.admin
)
Provides permissions to create, update, delete, list, clone, fetch, and
browse repositories. Also provides permissions to read and change IAM
policies.
Lowest-level resources where you can grant this role:
source.*
Source Repository Reader
(roles/ source.reader
)
Provides permissions to list, clone, fetch, and browse repositories.
Lowest-level resources where you can grant this role:
source.repos.get
source.repos.list
Source Repository Writer
(roles/ source.writer
)
Provides permissions to list, clone, fetch, browse, and update
repositories.
Lowest-level resources where you can grant this role:
source.repos.get
source.repos.list
source.repos.update
Stackdriver roles
Permissions
Stackdriver Accounts Editor
(roles/ stackdriver.accounts.editor
)
Read/write access to manage Stackdriver account structure.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.projects.*
Stackdriver Accounts Viewer
(roles/ stackdriver.accounts.viewer
)
Read-only access to get and list information about Stackdriver account structure.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
(roles/ stackdriver.resourceMetadata.writer
)
Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.
stackdriver. resourceMetadata. write
Stream roles
Permissions
Stream Admin
(roles/ stream.admin
)
Full access to Stream all resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.*
Stream Content Admin
(roles/ stream.contentAdmin
)
Full access to all StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.*
Stream Content Builder
(roles/ stream.contentBuilder
)
Read and build access to StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.build
stream.streamContents.get
stream.streamContents.list
Stream Instance Admin
(roles/ stream.instanceAdmin
)
Full access to all StreamInstance resources and Read access to all StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.get
stream.streamContents.list
stream.streamInstances.*
Stream Viewer
(roles/ stream.viewer
)
Read-only access to Stream all resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.locations.*
stream.operations.get
stream.operations.list
stream.streamContents.get
stream.streamContents.list
stream.streamInstances.get
stream.streamInstances.list
Support roles
Permissions
Support Account Administrator
(roles/ cloudsupport.admin
)
Allows management of a support account without giving access to support cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role:
cloudsupport.accounts.*
cloudsupport.operations.get
cloudsupport.properties.get
resourcemanager. organizations. get
Tech Support Editor
(roles/ cloudsupport.techSupportEditor
)
Full read-write access to technical support cases (applicable for GCP Customer Care and Maps
support). See the
Cloud Support documentation
for more information.
billing. resourceAssociations. list
cloudasset. assets. searchAllResources
cloudsupport.properties.get
cloudsupport.techCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Tech Support Viewer
(roles/ cloudsupport.techSupportViewer
)
Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).
See the
Cloud Support documentation
for more information.
cloudsupport.properties.get
cloudsupport.techCases.get
cloudsupport.techCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Support Account Viewer
(roles/ cloudsupport.viewer
)
Read-only access to details of a support account. This does not allow viewing cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role:
cloudsupport.accounts.get
cloudsupport. accounts. getUserRoles
cloudsupport.accounts.list
cloudsupport.properties.get
Third-party Partner roles
Permissions
Dell EMC Cloud OneFS Admin
Beta
(roles/ dellemccloudonefs.admin
)
This role is managed by Dell EMC, not Google.
cloudonefs.isiloncloud.com/*
resourcemanager.projects.get
resourcemanager.projects.list
Dell EMC Cloud OneFS User
Beta
(roles/ dellemccloudonefs.user
)
This role is managed by Dell EMC, not Google.
cloudonefs.isiloncloud. com/clusters. create
cloudonefs.isiloncloud. com/clusters. delete
cloudonefs.isiloncloud. com/clusters. get
cloudonefs.isiloncloud. com/clusters. list
cloudonefs.isiloncloud. com/clusters. update
cloudonefs.isiloncloud. com/fileshares.*
resourcemanager.projects.get
resourcemanager.projects.list
Dell EMC Cloud OneFS Viewer
Beta
(roles/ dellemccloudonefs.viewer
)
This role is managed by Dell EMC, not Google.
cloudonefs.isiloncloud. com/clusters. get
cloudonefs.isiloncloud. com/clusters. list
cloudonefs.isiloncloud. com/fileshares. get
cloudonefs.isiloncloud. com/fileshares. list
resourcemanager.projects.get
resourcemanager.projects.list
NetApp Cloud Volumes Admin
Beta
(roles/ netappcloudvolumes.admin
)
This role is managed by NetApp, not Google.
cloudvolumesgcp-api. netapp.com/*
resourcemanager.projects.get
resourcemanager.projects.list
NetApp Cloud Volumes Viewer
Beta
(roles/ netappcloudvolumes.viewer
)
This role is managed by NetApp, not Google.
cloudvolumesgcp-api.netapp. com/activeDirectories. get
cloudvolumesgcp-api.netapp. com/activeDirectories. list
cloudvolumesgcp-api.netapp. com/ipRanges. list
cloudvolumesgcp-api.netapp. com/jobs.*
cloudvolumesgcp-api.netapp. com/regions. list
cloudvolumesgcp-api.netapp. com/serviceLevels. list
cloudvolumesgcp-api.netapp. com/snapshots. get
cloudvolumesgcp-api.netapp. com/snapshots. list
cloudvolumesgcp-api.netapp. com/volumes. get
cloudvolumesgcp-api.netapp. com/volumes. list
resourcemanager.projects.get
resourcemanager.projects.list
Redis Enterprise Cloud Admin
Beta
(roles/ redisenterprisecloud.admin
)
This role is managed by Redis Labs, not Google.
gcp.redisenterprise.com/*
resourcemanager.projects.get
resourcemanager.projects.list
Redis Enterprise Cloud Viewer
Beta
(roles/ redisenterprisecloud.viewer
)
This role is managed by Redis Labs, not Google.
gcp.redisenterprise. com/databases. get
gcp.redisenterprise. com/databases. list
gcp.redisenterprise. com/subscriptions. get
gcp.redisenterprise. com/subscriptions. list
resourcemanager.projects.get
resourcemanager.projects.list
Transcoder roles
Permissions
Transcoder Admin
(roles/ transcoder.admin
)
Full access to all transcoder resources.
resourcemanager.projects.get
resourcemanager.projects.list
transcoder.*
Transcoder Viewer
(roles/ transcoder.viewer
)
Viewer of all transcoder resources.
resourcemanager.projects.get
resourcemanager.projects.list
transcoder.jobTemplates.get
transcoder.jobTemplates.list
transcoder.jobs.get
transcoder.jobs.list
Transfer Appliance roles
Permissions
Transfer Appliance Admin
Beta
(roles/ transferappliance.admin
)
Full access to Transfer Appliance all resources.
resourcemanager.projects.get
resourcemanager.projects.list
transferappliance.*
Transfer Appliance Viewer
Beta
(roles/ transferappliance.viewer
)
Read-only access to Transfer Appliance all resources.
resourcemanager.projects.get
resourcemanager.projects.list
transferappliance. appliances. get
transferappliance. appliances. list
transferappliance.locations.*
transferappliance. operations. get
transferappliance. operations. list
transferappliance.orders.get
transferappliance.orders.list
transferappliance. savedAddresses. get
transferappliance. savedAddresses. list
Vertex AI roles
Permissions
(roles/ aiplatform.admin
)
Grants full access to all resources in Vertex AI
aiplatform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.colabEnterpriseAdmin
)
Admin role of using colab enterprise.
aiplatform. notebookExecutionJobs.*
aiplatform. notebookRuntimeTemplates.*
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.reservations.get
compute.reservations.list
dataform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.colabEnterpriseUser
)
User role of using colab enterprise.
aiplatform. notebookExecutionJobs.*
aiplatform. notebookRuntimeTemplates. apply
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. getIamPolicy
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimes. assign
aiplatform. notebookRuntimes. get
aiplatform. notebookRuntimes. list
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.entityTypeOwner
)
Provides full access to all permissions for a particular entity type resource.
Lowest-level resources where you can grant this role:
aiplatform.entityTypes.delete
aiplatform. entityTypes. deleteFeatureValues
aiplatform. entityTypes. exportFeatureValues
aiplatform.entityTypes.get
aiplatform. entityTypes. getIamPolicy
aiplatform. entityTypes. importFeatureValues
aiplatform. entityTypes. readFeatureValues
aiplatform. entityTypes. setIamPolicy
aiplatform. entityTypes. streamingReadFeatureValues
aiplatform.entityTypes.update
aiplatform. entityTypes. writeFeatureValues
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform.featureViewSyncs.*
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.features.*
aiplatform. featurestores. batchReadFeatureValues
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.expressAdmin
)
Grants admin access to Vertex AI Express
aiplatform.datasetVersions.*
aiplatform.datasets.create
aiplatform.datasets.delete
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.datasets.update
aiplatform.endpoints.predict
(roles/ aiplatform.expressUser
)
Grants user access to Vertex AI Express
aiplatform.endpoints.predict
(roles/ aiplatform.featurestoreAdmin
)
Grants full access to all resources in Vertex AI Feature Store
Lowest-level resources where you can grant this role:
aiplatform.entityTypes.*
aiplatform.featureGroups.*
aiplatform. featureOnlineStores.*
aiplatform.featureViewSyncs.*
aiplatform.featureViews.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.featurestoreDataViewer
)
This role provides permissions to read Feature data.
Lowest-level resources where you can grant this role:
aiplatform. entityTypes. exportFeatureValues
aiplatform.entityTypes.get
aiplatform. entityTypes. readFeatureValues
aiplatform. entityTypes. streamingReadFeatureValues
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform.featureViewSyncs.*
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.features.get
aiplatform.features.list
aiplatform. featurestores. batchReadFeatureValues
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.featurestoreDataWriter
)
This role provides permissions to read and write Feature data.
Lowest-level resources where you can grant this role:
aiplatform. entityTypes. deleteFeatureValues
aiplatform. entityTypes. exportFeatureValues
aiplatform.entityTypes.get
aiplatform. entityTypes. importFeatureValues
aiplatform. entityTypes. readFeatureValues
aiplatform. entityTypes. streamingReadFeatureValues
aiplatform. entityTypes. writeFeatureValues
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform.featureViewSyncs.*
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.features.get
aiplatform.features.list
aiplatform. featurestores. batchReadFeatureValues
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.featurestoreInstanceCreator
)
Administrator of Featurestore resources, but not the child resources under Featurestores.
Lowest-level resources where you can grant this role:
aiplatform. featurestores. create
aiplatform. featurestores. delete
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform. featurestores. update
(roles/ aiplatform.featurestoreResourceViewer
)
Viewer of all resources in Vertex AI Feature Store but cannot make changes.
Lowest-level resources where you can grant this role:
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform.featureViewSyncs.*
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.featurestoreUser
)
Deprecated. Use featurestoreAdmin instead.
aiplatform.entityTypes.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.migrator
)
Grants access to use migration service in Vertex AI
aiplatform. migratableResources.*
(roles/ aiplatform.notebookExecutorUser
)
Grants users full access to schedules and notebook execution jobs.
aiplatform. notebookExecutionJobs.*
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
(roles/ aiplatform.notebookRuntimeAdmin
)
Grants full access to all runtime templates and runtimes in Notebook Service.
aiplatform. notebookRuntimeTemplates.*
aiplatform.notebookRuntimes.*
aiplatform.operations.list
compute.reservations.get
compute.reservations.list
(roles/ aiplatform.notebookRuntimeUser
)
Grants users permissions to create runtime resources using a runtime template and manage the runtime resources they created.
aiplatform. notebookRuntimeTemplates. apply
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. getIamPolicy
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimes. assign
aiplatform. notebookRuntimes. get
aiplatform. notebookRuntimes. list
aiplatform.operations.list
(roles/ aiplatform.tensorboardWebAppUser
)
Grants access to the Vertex AI TensorBoard web app.
aiplatform. tensorboards. recordAccess
(roles/ aiplatform.user
)
Grants access to use all resource in Vertex AI
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform. batchPredictionJobs.*
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform. deploymentResourcePools.*
aiplatform. edgeDeploymentJobs.*
aiplatform. edgeDeviceDebugInfo. get
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform. entityTypes. deleteFeatureValues
aiplatform. entityTypes. exportFeatureValues
aiplatform.entityTypes.get
aiplatform. entityTypes. importFeatureValues
aiplatform.entityTypes.list
aiplatform. entityTypes. readFeatureValues
aiplatform. entityTypes. streamingReadFeatureValues
aiplatform.entityTypes.update
aiplatform. entityTypes. writeFeatureValues
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.featureGroups.*
aiplatform. featureOnlineStores. create
aiplatform. featureOnlineStores. delete
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform. featureOnlineStores. update
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform. featurestores. batchReadFeatureValues
aiplatform. featurestores. create
aiplatform. featurestores. delete
aiplatform. featurestores. exportFeatures
aiplatform.featurestores.get
aiplatform. featurestores. importFeatures
aiplatform.featurestores.list
aiplatform. featurestores. readFeatures
aiplatform. featurestores. update
aiplatform. featurestores. writeFeatures
aiplatform.humanInTheLoops.*
aiplatform. hyperparameterTuningJobs.*
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform. modelDeploymentMonitoringJobs.*
aiplatform. modelEvaluationSlices.*
aiplatform.modelEvaluations.*
aiplatform. modelMonitoringJobs.*
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform. notebookExecutionJobs.*
aiplatform. notebookRuntimeTemplates. apply
aiplatform. notebookRuntimeTemplates. create
aiplatform. notebookRuntimeTemplates. delete
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimeTemplates. update
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform. persistentResources. get
aiplatform. persistentResources. list
aiplatform.pipelineJobs.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform. tensorboardExperiments.*
aiplatform.tensorboardRuns.*
aiplatform. tensorboardTimeSeries.*
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/ aiplatform.viewer
)
Grants access to view all resource in Vertex AI
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform. annotationSpecs. list
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform. batchPredictionJobs. get
aiplatform. batchPredictionJobs. list
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform. contexts. queryContextLineageSubgraph
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform. dataLabelingJobs. get
aiplatform. dataLabelingJobs. list
aiplatform.datasetVersions.get
aiplatform. datasetVersions. list
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform. deploymentResourcePools. get
aiplatform. deploymentResourcePools. list
aiplatform. deploymentResourcePools. queryDeployedModels
aiplatform. edgeDeploymentJobs. get
aiplatform. edgeDeploymentJobs. list
aiplatform. edgeDeviceDebugInfo. get
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform. executions. queryExecutionInputsAndOutputs
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform. featureOnlineStores. get
aiplatform. featureOnlineStores. list
aiplatform.featureViewSyncs.*
aiplatform. featureViews. fetchFeatureValues
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform. featureViews. searchNearestEntities
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform. humanInTheLoops. list
aiplatform. hyperparameterTuningJobs. get
aiplatform. hyperparameterTuningJobs. list
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform. indexEndpoints. queryVectors
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.*
aiplatform.metadataSchemas.get
aiplatform. metadataSchemas. list
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform. modelDeploymentMonitoringJobs. get
aiplatform. modelDeploymentMonitoringJobs. list
aiplatform. modelDeploymentMonitoringJobs. searchStatsAnomalies
aiplatform. modelEvaluationSlices. get
aiplatform. modelEvaluationSlices. list
aiplatform. modelEvaluations. get
aiplatform. modelEvaluations. list
aiplatform. modelMonitoringJobs. get
aiplatform. modelMonitoringJobs. list
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform. modelMonitors. searchModelMonitoringAlerts
aiplatform. modelMonitors. searchModelMonitoringStats
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform. notebookExecutionJobs. get
aiplatform. notebookExecutionJobs. list
aiplatform. notebookRuntimeTemplates. get
aiplatform. notebookRuntimeTemplates. list
aiplatform. notebookRuntimes. get
aiplatform. notebookRuntimes. list
aiplatform.operations.list
aiplatform. persistentResources. get
aiplatform. persistentResources. list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform. reasoningEngines. get
aiplatform. reasoningEngines. list
aiplatform. reasoningEngines. query
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform. specialistPools. list
aiplatform. specialistPools. update
aiplatform.studies.get
aiplatform.studies.list
aiplatform. tensorboardExperiments. get
aiplatform. tensorboardExperiments. list
aiplatform.tensorboardRuns.get
aiplatform. tensorboardRuns. list
aiplatform. tensorboardTimeSeries. batchRead
aiplatform. tensorboardTimeSeries. get
aiplatform. tensorboardTimeSeries. list
aiplatform. tensorboardTimeSeries. read
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform. trainingPipelines. get
aiplatform. trainingPipelines. list
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
resourcemanager.projects.get
resourcemanager.projects.list
Video Stitcher roles
Permissions
Video Stitcher Admin
(roles/ videostitcher.admin
)
Full access to all video stitcher resources.
resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.*
Video Stitcher User
(roles/ videostitcher.user
)
Full access to video stitcher sessions.
resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.liveSessions.*
videostitcher.vodSessions.*
Video Stitcher Viewer
(roles/ videostitcher.viewer
)
Read-only access to video stitcher resources.
resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.cdnKeys.get
videostitcher.cdnKeys.list
videostitcher. liveAdTagDetails.*
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list
videostitcher.liveSessions.get
videostitcher.operations.get
videostitcher.operations.list
videostitcher.slates.get
videostitcher.slates.list
videostitcher. vodAdTagDetails.*
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodSessions.get
videostitcher. vodStitchDetails.*
Vision AI roles
Permissions
VisionAI Admin
Beta
(roles/ visionai.admin
)
Full access to Vision AI all resources.
resourcemanager.projects.get
resourcemanager.projects.list
visionai.*
Vision AI Analysis Editor
Beta
(roles/ visionai.analysisEditor
)
Access to read and write Vision AI Analyses.
visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.list
visionai.analyses.update
Vision AI Analysis Viewer
Beta
(roles/ visionai.analysisViewer
)
Access to read Vision AI Analyses.
visionai.analyses.get
visionai.analyses.list
VisionAI Warehouse Annotation Editor
Beta
(roles/ visionai.annotationEditor
)
Grants access to edit media asset annotations into the Warehouse.
visionai.annotations.*
VisionAI Warehouse Annotation Viewer
Beta
(roles/ visionai.annotationViewer
)
Grants access to view media asset annotations into the Warehouse.
visionai.annotations.get
visionai.annotations.list
Vision AI Application Editor
Beta
(roles/ visionai.applicationEditor
)
Access to read and write Vision AI Applications.
visionai.applications.*
visionai.drafts.*
visionai.instances.*
Vision AI Application Viewer
Beta
(roles/ visionai.applicationViewer
)
Access to read Vision AI Applications.
visionai.applications.get
visionai.applications.list
visionai.drafts.get
visionai.drafts.list
visionai.instances.*
VisionAI Warehouse Asset Creator
Beta
(roles/ visionai.assetCreator
)
Grants access to ingest media assets into the Warehouse.
visionai.assets.create
visionai.assets.ingest
VisionAI Warehouse Asset Editor
Beta
(roles/ visionai.assetEditor
)
Grants access to edit media assets into the Warehouse.
visionai.assets.*
VisionAI Warehouse Asset Viewer
Beta
(roles/ visionai.assetViewer
)
Grants access to view media assets into the Warehouse.
visionai.assets.get
visionai.assets.list
visionai.assets.search
Vision AI Cluster Editor
Beta
(roles/ visionai.clusterEditor
)
Access to read and write Vision AI Cluster.
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.list
visionai.clusters.update
visionai.clusters.watch
Vision AI Cluster Viewer
Beta
(roles/ visionai.clusterViewer
)
Access to read Vision AI Clusters.
visionai.clusters.get
visionai.clusters.list
VisionAI Warehouse Corpus Administrator
Beta
(roles/ visionai.corpusAdmin
)
Full control to everything in a corpus including corpus access control.
visionai.annotations.*
visionai.assets.*
visionai.corpora.*
visionai.dataSchemas.*
visionai.indexes.*
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.*
VisionAI Warehouse Corpus Editor
Beta
(roles/ visionai.corpusEditor
)
Read-write access to everything in a corpus.
visionai.annotations.*
visionai.assets.*
visionai.corpora.*
visionai.dataSchemas.*
visionai.indexes.*
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.*
VisionAI Warehouse Corpus Viewer
Beta
(roles/ visionai.corpusViewer
)
Grants access to view everything in a corpus.
visionai.annotations.get
visionai.annotations.list
visionai.assets.clip
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.list
visionai.assets.search
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.validate
visionai.indexes.get
visionai.indexes.list
visionai.indexes.viewAssets
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.get
visionai.searchConfigs.list
VisionAI Warehouse Corpus Writer
Beta
(roles/ visionai.corpusWriter
)
Grants access to create/update/delete everything in a corpus.
visionai.annotations.*
visionai.assets.*
visionai.corpora.analyze
visionai.corpora.delete
visionai.corpora.import
visionai.corpora.update
visionai.dataSchemas.create
visionai.dataSchemas.delete
visionai.dataSchemas.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.update
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.create
visionai.searchConfigs.delete
visionai.searchConfigs.update
VisionAI Editor
Beta
(roles/ visionai.editor
)
Edit access to Vision AI all resources.
resourcemanager.projects.get
resourcemanager.projects.list
visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.update
visionai.annotations.*
visionai.applications.*
visionai.assets.*
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.update
visionai.clusters.watch
visionai.corpora.*
visionai.dataSchemas.*
visionai.drafts.*
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.getIamPolicy
visionai.events.list
visionai.events.update
visionai.indexEndpoints.*
visionai.indexes.*
visionai.instances.*
visionai.locations.*
visionai.operations.*
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai. operators. getIamPolicy
visionai.operators.list
visionai.operators.update
visionai.processors.*
visionai.searchConfigs.*
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.getIamPolicy
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.update
visionai.uistreams.*
Vision AI Event Editor
Beta
(roles/ visionai.eventEditor
)
Access to read and write Vision AI Events.
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.list
visionai.events.update
Vision AI Event Viewer
Beta
(roles/ visionai.eventViewer
)
Access to read Vision AI Events.
visionai.events.get
visionai.events.list
VisionAI Warehouse IndexEndpoint Administrator
Beta
(roles/ visionai.indexEndpointAdmin
)
Full control of all Media Warehouse resources and permissions.
visionai.indexEndpoints.*
VisionAI Warehouse IndexEndpoint Editor
Beta
(roles/ visionai.indexEndpointEditor
)
Read, write and create access to all index endpoints level resources.
visionai.indexEndpoints.*
VisionAI Warehouse IndexEndpoint Viewer
Beta
(roles/ visionai.indexEndpointViewer
)
Grants access to view all index endpoint resources and be able to search on them. (ReadOnly)
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
VisionAI Warehouse IndexEndpoint Writer
Beta
(roles/ visionai.indexEndpointWriter
)
Grants access to perform update, delete, deploy and undeploy operations on the index endpoint.
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai. indexEndpoints. undeploy
visionai.indexEndpoints.update
Vision AI Operator Editor
Beta
(roles/ visionai.operatorEditor
)
Access to read and write Vision AI Operators.
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.list
visionai.operators.update
Vision AI Operator Viewer
Beta
(roles/ visionai.operatorViewer
)
Access to read Vision AI Operators.
visionai.operators.get
visionai.operators.list
Vision AI Packet Receiver
Beta
(roles/ visionai.packetReceiver
)
Access to read Vision AI Series.
visionai.clusters.watch
visionai.series.acquireLease
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.streams.receive
Vision AI Packet Sender
Beta
(roles/ visionai.packetSender
)
Packet sender to the series.
visionai.series.acquireLease
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.streams.send
Vision AI Processor Editor
Beta
(roles/ visionai.processorEditor
)
Access to read and write Vision AI Processors.
visionai.processors.*
Vision AI Processor Viewer
Beta
(roles/ visionai.processorViewer
)
Access to read Vision AI Processors.
visionai.processors.get
visionai.processors.list
visionai. processors. listPrebuilt
Vision AI RetailCatalog Editor
Beta
(roles/ visionai.retailcatalogEditor
)
Access to read and write Vision AI RetailCatalogs.
Vision AI RetailCatalog Viewer
Beta
(roles/ visionai.retailcatalogViewer
)
Access to read Vision AI RetailCatalogs.
Vision AI RetailEndpoint Editor
Beta
(roles/ visionai.retailendpointEditor
)
Access to read and write Vision AI RetailEndpoints.
Vision AI RetailEndpoint Viewer
Beta
(roles/ visionai.retailendpointViewer
)
Access to read Vision AI RetailEndpoints.
Vision AI Series Editor
Beta
(roles/ visionai.seriesEditor
)
Access to read and write Vision AI Series.
visionai.clusters.watch
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.update
visionai.streams.receive
visionai.streams.send
Vision AI Series Viewer
Beta
(roles/ visionai.seriesViewer
)
Access to read Vision AI Series.
visionai.series.get
visionai.series.list
Vision AI Stream Editor
Beta
(roles/ visionai.streamEditor
)
Access to read and write Vision AI Streams.
visionai.clusters.watch
visionai.series.acquireLease
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.update
Vision AI Stream Viewer
Beta
(roles/ visionai.streamViewer
)
Access to read Vision AI Streams.
visionai.streams.get
visionai.streams.list
Vision AI UI Stream Editor
Beta
(roles/ visionai.uiStreamEditor
)
Access to read & write Vision AI UI Streams.
visionai.uistreams.*
Vision AI UI Stream Viewer
Beta
(roles/ visionai.uiStreamViewer
)
Access to read Vision AI UI Streams.
visionai.uistreams.get
visionai.uistreams.list
VisionAI Viewer
Beta
(roles/ visionai.viewer
)
View access to Vision AI all resources.
resourcemanager.projects.get
resourcemanager.projects.list
visionai.analyses.get
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.annotations.get
visionai.annotations.list
visionai.applications.get
visionai.applications.list
visionai.assets.clip
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.list
visionai.assets.search
visionai.clusters.get
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.validate
visionai.drafts.get
visionai.drafts.list
visionai.events.get
visionai.events.getIamPolicy
visionai.events.list
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexes.get
visionai.indexes.list
visionai.indexes.viewAssets
visionai.instances.*
visionai.locations.*
visionai.operations.get
visionai.operations.list
visionai.operators.get
visionai. operators. getIamPolicy
visionai.operators.list
visionai.processors.get
visionai.processors.list
visionai. processors. listPrebuilt
visionai.searchConfigs.get
visionai.searchConfigs.list
visionai.series.get
visionai.series.getIamPolicy
visionai.series.list
visionai.streams.get
visionai.streams.getIamPolicy
visionai.streams.list
visionai.uistreams.get
visionai.uistreams.list
VMwareEngine roles
Permissions
VMware Engine Service Admin
(roles/ vmwareengine.vmwareengineAdmin
)
Admin has full access to VMware Engine Service
resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine.*
VMware Engine Service Viewer
(roles/ vmwareengine.vmwareengineViewer
)
Viewer has read-only access to VMware Engine Service
resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine.clusters.get
vmwareengine. clusters. getIamPolicy
vmwareengine.clusters.list
vmwareengine. dnsBindPermission. get
vmwareengine.dnsForwarding.get
vmwareengine. externalAccessRules. get
vmwareengine. externalAccessRules. list
vmwareengine. externalAddresses. get
vmwareengine. externalAddresses. list
vmwareengine. hcxActivationKeys. get
vmwareengine. hcxActivationKeys. getIamPolicy
vmwareengine. hcxActivationKeys. list
vmwareengine.locations.*
vmwareengine. loggingServers. get
vmwareengine. loggingServers. list
vmwareengine. managementDnsZoneBindings. get
vmwareengine. managementDnsZoneBindings. list
vmwareengine. networkPeerings. get
vmwareengine. networkPeerings. list
vmwareengine. networkPeerings. listPeeringRoutes
vmwareengine. networkPolicies. fetchExternalAddresses
vmwareengine. networkPolicies. get
vmwareengine. networkPolicies. list
vmwareengine.nodeTypes.*
vmwareengine.nodes.*
vmwareengine.operations.get
vmwareengine.operations.list
vmwareengine.privateClouds.get
vmwareengine. privateClouds. getIamPolicy
vmwareengine. privateClouds. list
vmwareengine. privateConnections. get
vmwareengine. privateConnections. list
vmwareengine. privateConnections. listPeeringRoutes
vmwareengine.projectState.get
vmwareengine.services.view
vmwareengine.subnets.get
vmwareengine.subnets.list
vmwareengine. vmwareEngineNetworks. get
vmwareengine. vmwareEngineNetworks. list
Workflows roles
Permissions
Workflows Admin
(roles/ workflows.admin
)
Full access to workflows and related resources.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.*
Workflows Editor
(roles/ workflows.editor
)
Read and write access to workflows and related resources, including development and debugging of workflows.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.*
Workflows Invoker
(roles/ workflows.invoker
)
Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.callbacks.*
workflows.executions.*
workflows.stepEntries.*
Workflows Viewer
(roles/ workflows.viewer
)
Read-only access to workflows and related resources.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.callbacks.list
workflows.executions.get
workflows.executions.list
workflows.locations.*
workflows.operations.get
workflows.operations.list
workflows.stepEntries.*
workflows.workflows.get
workflows.workflows.list
workflows. workflows. listEffectiveTags
workflows. workflows. listRevision
workflows. workflows. listTagBindings
Workforce Pools roles
Permissions
IAM OAuth Client Admin
Beta
(roles/ iam.oauthClientAdmin
)
Full rights to create and manage OAuth clients.
iam.oauthClientCredentials.*
iam.oauthClients.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM OAuth Client Viewer
Beta
(roles/ iam.oauthClientViewer
)
Read access to a particular instance of an OAuth client.
iam.googleapis. com/oauthClientCredentials. get
iam.googleapis. com/oauthClientCredentials. list
iam.googleapis. com/oauthClients. get
iam.googleapis. com/oauthClients. list
resourcemanager.projects.get
resourcemanager.projects.list
IAM Workforce Pool Admin
(roles/ iam.workforcePoolAdmin
)
Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins.
iam. workforcePoolProviderKeys.*
iam.workforcePoolProviders.*
iam.workforcePoolSubjects.*
iam.workforcePools.*
IAM Workforce Pool Editor
(roles/ iam.workforcePoolEditor
)
Rights to edit a particular instance of a workforce pool.
iam.googleapis. com/workforcePoolProviderKeys. get
iam.googleapis. com/workforcePoolProviderKeys. list
iam.googleapis. com/workforcePools. get
iam.googleapis. com/workforcePools. list
iam.googleapis. com/workforcePools. update
iam.workforcePoolProviders.*
IAM Workforce Pool Viewer
(roles/ iam.workforcePoolViewer
)
Rights to read workforce pool.
iam.googleapis. com/workforcePoolProviderKeys. get
iam.googleapis. com/workforcePoolProviderKeys. list
iam.googleapis. com/workforcePoolProviders. get
iam.googleapis. com/workforcePoolProviders. list
iam.googleapis. com/workforcePools. get
iam.googleapis. com/workforcePools. list
Workload Certificate roles
Permissions
Workload Certificate Admin
Beta
(roles/ workloadcertificate.admin
)
Full access to all Workload Certificate API resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate.*
Workload Certificate Registration Admin
Beta
(roles/ workloadcertificate.registrationAdmin
)
Full access to WorkloadRegistration resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate. locations.*
workloadcertificate. operations.*
workloadcertificate. workloadRegistrations.*
Workload Certificate Registration Viewer
Beta
(roles/ workloadcertificate.registrationViewer
)
Read-only access to WorkloadRegistration resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate. locations.*
workloadcertificate. operations. get
workloadcertificate. operations. list
workloadcertificate. workloadRegistrations. get
workloadcertificate. workloadRegistrations. list
Workload Certificate Viewer
Beta
(roles/ workloadcertificate.viewer
)
Read-only access to Workload Certificate all resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate. locations.*
workloadcertificate. operations. get
workloadcertificate. operations. list
workloadcertificate. workloadCertificateFeature. get
workloadcertificate. workloadRegistrations. get
workloadcertificate. workloadRegistrations. list
Workload Identity Pools roles
Permissions
IAM Workload Identity Pool Admin
Beta
(roles/ iam.workloadIdentityPoolAdmin
)
Full rights to create and manage workload identity pools.
iam. workloadIdentityPoolProviderKeys.*
iam. workloadIdentityPoolProviders.*
iam.workloadIdentityPools.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Workload Identity Pool Viewer
Beta
(roles/ iam.workloadIdentityPoolViewer
)
Read access to workload identity pools.
iam.googleapis. com/workloadIdentityPoolProviderKeys. get
iam.googleapis. com/workloadIdentityPoolProviderKeys. list
iam.googleapis. com/workloadIdentityPoolProviders. get
iam.googleapis. com/workloadIdentityPoolProviders. list
iam.googleapis. com/workloadIdentityPools. get
iam.googleapis. com/workloadIdentityPools. list
resourcemanager.projects.get
resourcemanager.projects.list
Workload Manager roles
Permissions
Workload Manager Admin
Beta
(roles/ workloadmanager.admin
)
Full access to Workload Manager all resources.
compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
dns.managedZones.list
iam.serviceAccounts.list
monitoring.timeSeries.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
storage.buckets.list
storage.objects.list
workloadmanager.*
Workload Manager Deployment Admin
Beta
(roles/ workloadmanager.deploymentAdmin
)
Full access to Workload Manager deployment resources.
compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
dns.managedZones.list
iam.serviceAccounts.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager. projects. getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
storage.buckets.list
storage.objects.list
workloadmanager.actuations.*
workloadmanager.deployments.*
workloadmanager.locations.*
workloadmanager.operations.*
Workload Manager Deployment Viewer
Beta
(roles/ workloadmanager.deploymentViewer
)
Read-only access to Workload Manager deployment resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.get
workloadmanager. actuations. list
workloadmanager. deployments. get
workloadmanager. deployments. list
Workload Manager Evaluation Admin
Beta
(roles/ workloadmanager.evaluationAdmin
)
Full access to Workload Manager evaluation resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.evaluations.*
workloadmanager.executions.*
workloadmanager.locations.*
workloadmanager.operations.*
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Evaluation Viewer
Beta
(roles/ workloadmanager.evaluationViewer
)
Read-only access to Workload Manager evaluation resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager. evaluations. get
workloadmanager. evaluations. list
workloadmanager.executions.get
workloadmanager. executions. list
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Insights Writer
Beta
(roles/ workloadmanager.insightWriter
)
The role used to write data to WLM data warehouse.
workloadmanager.insights.write
Workload Manager Viewer
Beta
(roles/ workloadmanager.viewer
)
Read-only access to Workload Manager all resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.get
workloadmanager. actuations. list
workloadmanager. deployments. get
workloadmanager. deployments. list
workloadmanager. discoveredprofiles.*
workloadmanager. evaluations. get
workloadmanager. evaluations. list
workloadmanager.executions.get
workloadmanager. executions. list
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Worker
Beta
(roles/ workloadmanager.worker
)
The role used by Workload Manager application runners to read and update workloads.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.*
workloadmanager.deployments.*
workloadmanager. discoveredprofiles.*
workloadmanager.evaluations.*
workloadmanager.executions.*
workloadmanager.insights.write
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Workload Viewer
Beta
(roles/ workloadmanager.workloadViewer
)
The role used to view the workload related data.
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager. discoveredprofiles.*