IAM roles and permissions for Integration Connectors

Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists all the predefined IAM roles for Integration Connectors:

Role Permissions

(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.actions.*

  • connectors.actions.execute
  • connectors.actions.list

connectors.connections.create

connectors.connections.delete

connectors.connections.executeSqlQuery

connectors.connections.generateOpenAPISpec

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.getIamPolicy

connectors.connections.getRuntimeActionSchema

connectors.connections.getRuntimeEntitySchema

connectors.connections.list

connectors.connections.setIamPolicy

connectors.connections.update

connectors.connectors.*

  • connectors.connectors.get
  • connectors.connectors.list

connectors.customConnectorVersions.*

  • connectors.customConnectorVersions.create
  • connectors.customConnectorVersions.delete
  • connectors.customConnectorVersions.get
  • connectors.customConnectorVersions.getIamPolicy
  • connectors.customConnectorVersions.list
  • connectors.customConnectorVersions.setIamPolicy
  • connectors.customConnectorVersions.update

connectors.customConnectors.*

  • connectors.customConnectors.create
  • connectors.customConnectors.delete
  • connectors.customConnectors.get
  • connectors.customConnectors.getIamPolicy
  • connectors.customConnectors.list
  • connectors.customConnectors.setIamPolicy
  • connectors.customConnectors.update

connectors.endpointAttachments.*

  • connectors.endpointAttachments.create
  • connectors.endpointAttachments.delete
  • connectors.endpointAttachments.get
  • connectors.endpointAttachments.getIamPolicy
  • connectors.endpointAttachments.list
  • connectors.endpointAttachments.setIamPolicy
  • connectors.endpointAttachments.update

connectors.entities.*

  • connectors.entities.create
  • connectors.entities.delete
  • connectors.entities.deleteEntitiesWithConditions
  • connectors.entities.get
  • connectors.entities.list
  • connectors.entities.update
  • connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

connectors.eventSubscriptions.*

  • connectors.eventSubscriptions.create
  • connectors.eventSubscriptions.delete
  • connectors.eventSubscriptions.get
  • connectors.eventSubscriptions.list
  • connectors.eventSubscriptions.update

connectors.eventtypes.*

  • connectors.eventtypes.get
  • connectors.eventtypes.list

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

connectors.managedZones.*

  • connectors.managedZones.create
  • connectors.managedZones.delete
  • connectors.managedZones.get
  • connectors.managedZones.getIamPolicy
  • connectors.managedZones.list
  • connectors.managedZones.setIamPolicy
  • connectors.managedZones.update

connectors.operations.*

  • connectors.operations.cancel
  • connectors.operations.delete
  • connectors.operations.get
  • connectors.operations.list

connectors.providers.*

  • connectors.providers.get
  • connectors.providers.list

connectors.regionalSettings.*

  • connectors.regionalSettings.get
  • connectors.regionalSettings.update

connectors.runtimeconfig.get

connectors.schemaMetadata.refresh

connectors.settings.*

  • connectors.settings.get
  • connectors.settings.update

connectors.versions.*

  • connectors.versions.get
  • connectors.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.secrets.getIamPolicy

(roles/connectors.customConnectorAdmin)

Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources

connectors.customConnectorVersions.*

  • connectors.customConnectorVersions.create
  • connectors.customConnectorVersions.delete
  • connectors.customConnectorVersions.get
  • connectors.customConnectorVersions.getIamPolicy
  • connectors.customConnectorVersions.list
  • connectors.customConnectorVersions.setIamPolicy
  • connectors.customConnectorVersions.update

connectors.customConnectors.*

  • connectors.customConnectors.create
  • connectors.customConnectors.delete
  • connectors.customConnectors.get
  • connectors.customConnectors.getIamPolicy
  • connectors.customConnectors.list
  • connectors.customConnectors.setIamPolicy
  • connectors.customConnectors.update

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

(roles/connectors.customConnectorViewer)

Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.

connectors.customConnectorVersions.get

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

(roles/connectors.endpointAttachmentAdmin)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.

connectors.endpointAttachments.*

  • connectors.endpointAttachments.create
  • connectors.endpointAttachments.delete
  • connectors.endpointAttachments.get
  • connectors.endpointAttachments.getIamPolicy
  • connectors.endpointAttachments.list
  • connectors.endpointAttachments.setIamPolicy
  • connectors.endpointAttachments.update

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

(roles/connectors.endpointAttachmentViewer)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

(roles/connectors.eventSubscriptionAdmin)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources

connectors.eventSubscriptions.*

  • connectors.eventSubscriptions.create
  • connectors.eventSubscriptions.delete
  • connectors.eventSubscriptions.get
  • connectors.eventSubscriptions.list
  • connectors.eventSubscriptions.update

(roles/connectors.eventSubscriptionViewer)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

(roles/connectors.invoker)

Full Access to invoke all operations on Connections.

connectors.actions.*

  • connectors.actions.execute
  • connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

  • connectors.entities.create
  • connectors.entities.delete
  • connectors.entities.deleteEntitiesWithConditions
  • connectors.entities.get
  • connectors.entities.list
  • connectors.entities.update
  • connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

(roles/connectors.listener)

Full Access to listen events by connections.

connectors.connections.listenEvent

(roles/connectors.managedZoneAdmin)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

connectors.managedZones.*

  • connectors.managedZones.create
  • connectors.managedZones.delete
  • connectors.managedZones.get
  • connectors.managedZones.getIamPolicy
  • connectors.managedZones.list
  • connectors.managedZones.setIamPolicy
  • connectors.managedZones.update

(roles/connectors.managedZoneViewer)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

(roles/connectors.serviceAgent)

Grants Connectors Platform service account to manage customer resources

connectors.actions.*

  • connectors.actions.execute
  • connectors.actions.list

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.list

connectors.connectors.*

  • connectors.connectors.get
  • connectors.connectors.list

connectors.customConnectorVersions.get

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.list

connectors.endpointAttachments.get

connectors.endpointAttachments.list

connectors.entities.get

connectors.entityTypes.list

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

connectors.eventtypes.*

  • connectors.eventtypes.get
  • connectors.eventtypes.list

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

connectors.managedZones.get

connectors.managedZones.list

connectors.providers.*

  • connectors.providers.get
  • connectors.providers.list

connectors.runtimeconfig.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.generateOpenAPISpec

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.getIamPolicy

connectors.connections.getRuntimeActionSchema

connectors.connections.getRuntimeEntitySchema

connectors.connections.list

connectors.connectors.*

  • connectors.connectors.get
  • connectors.connectors.list

connectors.customConnectorVersions.get

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

connectors.eventtypes.*

  • connectors.eventtypes.get
  • connectors.eventtypes.list

connectors.locations.*

  • connectors.locations.get
  • connectors.locations.list

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.operations.get

connectors.operations.list

connectors.providers.*

  • connectors.providers.get
  • connectors.providers.list

connectors.regionalSettings.get

connectors.runtimeconfig.get

connectors.settings.get

connectors.versions.*

  • connectors.versions.get
  • connectors.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.