IAM permissions for Config Controller

This document describes how to grant Config Controller permissions to manage your Google Cloud resources.

Least privilege

To use Identity and Access Management securely, Google Cloud recommends following the least privilege best practice. In production environments, give any user accounts or processes only those privileges which are essentially vital to perform its intended functions.

IAM permissions for Config Connector

IAM authorizes Config Connector to take actions on Google Cloud resources.

To follow the least privilege best practice, grant the most limited predefined roles or custom roles that meet your needs. For example, if you need Config Connector to manage your GKE cluster creation, grant the Kubernetes Engine Cluster Admin role (roles/container.clusterAdmin).

You can use role recommendations to determine which roles to grant instead. You can also use the Policy Simulator to ensure that changing the role won't affect the principal's access.

Basic roles

It is recommended to have the same permissions in a non-production environment that you have in a production environment, following the least privilege best practice. Having the same permissions has the benefit of testing the production configurations in non-production, and detecting issues earlier.

That said, for certain situations you may want to speed up experimenting with Config Connector. For non-production environments, you can use one of the basic roles as an experiment, before deciding on the most limited permissions.

The Owner role (roles/owner) allows Config Connector to manage most of Google Cloud resources in your project, including IAM resources.

The Editor role (roles/editor) allows most Config Connector capabilities except Project or Organization-wide configurations such as IAM modifications.

To learn more about IAM permissions for Config Connector: