IAM roles and permissions for Integration Connectors

Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists all the predefined IAM roles for Integration Connectors:

Permissions

(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.actions.*

connectors.connections.create

connectors.connections.delete

connectors.connections.executeSqlQuery

connectors.connections.generateOpenAPISpec

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.getIamPolicy

connectors.connections.getRuntimeActionSchema

connectors.connections.getRuntimeEntitySchema

connectors.connections.list

connectors.connections.setIamPolicy

connectors.connections.update

connectors.connectors.*

connectors.customConnectorVersions.*

connectors.customConnectors.*

connectors.endpointAttachments.*

connectors.entities.*

connectors.entityTypes.list

connectors.eventSubscriptions.*

connectors.eventtypes.*

connectors.locations.*

connectors.managedZones.*

connectors.operations.*

connectors.providers.*

connectors.regionalSettings.*

connectors.runtimeconfig.get

connectors.schemaMetadata.refresh

connectors.settings.*

connectors.versions.*

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.secrets.getIamPolicy

(roles/connectors.customConnectorAdmin)

Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources

connectors.customConnectorVersions.*

connectors.customConnectors.*

connectors.locations.*

(roles/connectors.customConnectorViewer)

Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.

connectors.customConnectorVersions.get

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.locations.*

(roles/connectors.endpointAttachmentAdmin)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.

connectors.endpointAttachments.*

connectors.locations.*

(roles/connectors.endpointAttachmentViewer)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.locations.*

(roles/connectors.eventSubscriptionAdmin)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources

connectors.eventSubscriptions.*

(roles/connectors.eventSubscriptionViewer)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

(roles/connectors.invoker)

Full Access to invoke all operations on Connections.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

(roles/connectors.listener)

Full Access to listen events by connections.

connectors.connections.listenEvent

(roles/connectors.managedZoneAdmin)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources

connectors.locations.*

connectors.managedZones.*

(roles/connectors.managedZoneViewer)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.

connectors.locations.*

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.generateOpenAPISpec

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.getIamPolicy

connectors.connections.getRuntimeActionSchema

connectors.connections.getRuntimeEntitySchema

connectors.connections.list

connectors.connectors.*

connectors.customConnectorVersions.get

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

connectors.eventtypes.*

connectors.locations.*

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.operations.get

connectors.operations.list

connectors.providers.*

connectors.regionalSettings.get

connectors.runtimeconfig.get

connectors.settings.get

connectors.versions.*

resourcemanager.projects.get

resourcemanager.projects.list

For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.