This page describes the Identity and Access Management (IAM) roles and permissions
that you need to purchase and manage commercial products on Cloud Marketplace.
With IAM, you manage access control by defining who (identity)
has what access (role) for which resource. For commercial apps on
Cloud Marketplace, users in your Google Cloud organization require
IAM roles to sign up for Cloud Marketplace plans, and to
make changes to billing plans.
Before you begin
- To grant Cloud Marketplace roles and permissions using
gcloud
, install
the gcloud CLI. Otherwise, you can
grant roles using the Google Cloud console.
IAM roles for purchasing and managing products
We recommend that you assign the
Billing Account Administrator
IAM role to users who are purchasing services from
Cloud Marketplace.
Users who want to access the services must have the
Viewer) role, at a minimum.
For more granular control over users' permissions, you can
create custom roles with the permissions that you want to
grant.
Product-specific requirements
To use the following services in a Google Cloud project, you must have the
Project Editor role:
- Google Cloud Dataprep by Trifacta
- Neo4j Aura Professional
List of IAM roles and permissions
You can grant users one or more of the following IAM roles.
Depending on the role you are granting to users, you must also assign the role
to a Google Cloud billing account, organization, or project. For details,
see the section on Granting IAM roles to users.
Role |
Permissions |
Commerce Business Enablement Configuration Admin
Beta
(roles/commercebusinessenablement.admin )
Admin of Various Provider Configuration resources
|
commercebusinessenablement.leadgenConfig.*
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.*
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerConfig.update
commercebusinessenablement.resellerRestrictions.*
commercebusinessenablement.resellerRestrictions.list
commercebusinessenablement.resellerRestrictions.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/commercebusinessenablement.paymentConfigAdmin )
Administration of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.*
commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/commercebusinessenablement.paymentConfigViewer )
Viewer of Payment Configuration resource
|
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.paymentConfig.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Rebates Admin
Beta
(roles/commercebusinessenablement.rebatesAdmin )
Provides admin access to rebates
|
commercebusinessenablement.operations.*
commercebusinessenablement.operations.cancel
commercebusinessenablement.operations.delete
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.*
commercebusinessenablement.refunds.cancel
commercebusinessenablement.refunds.create
commercebusinessenablement.refunds.delete
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
commercebusinessenablement.refunds.start
commercebusinessenablement.refunds.update
|
Commerce Business Enablement Rebates Viewer
Beta
(roles/commercebusinessenablement.rebatesViewer )
Provides read-only access to rebates
|
commercebusinessenablement.operations.get
commercebusinessenablement.operations.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.refunds.get
commercebusinessenablement.refunds.list
|
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/commercebusinessenablement.resellerDiscountAdmin )
Provides admin access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.*
commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.*
commercebusinessenablement.resellerPrivateOfferPlans.cancel
commercebusinessenablement.resellerPrivateOfferPlans.create
commercebusinessenablement.resellerPrivateOfferPlans.delete
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
commercebusinessenablement.resellerPrivateOfferPlans.publish
commercebusinessenablement.resellerPrivateOfferPlans.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/commercebusinessenablement.resellerDiscountViewer )
Provides read-only access to reseller discount offers
|
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerDiscountConfig.get
commercebusinessenablement.resellerDiscountOffers.list
commercebusinessenablement.resellerPrivateOfferPlans.get
commercebusinessenablement.resellerPrivateOfferPlans.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Business Enablement Configuration Viewer
Beta
(roles/commercebusinessenablement.viewer )
Viewer of Various Provider Configuration resource
|
commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.partnerAccounts.*
commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list
commercebusinessenablement.partnerInfo.get
commercebusinessenablement.resellerConfig.get
commercebusinessenablement.resellerRestrictions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Offer Catalog Offers Viewer
Beta
(roles/commerceoffercatalog.offersViewer )
Allows viewing offers
|
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
|
Commerce Organization Governance Admin
Beta
(roles/commerceorggovernance.admin )
Full access to Organization Governance APIs
|
commerceorggovernance.*
commerceorggovernance.collectionRequestApprovals.list
commerceorggovernance.collectionRequestApprovals.review
commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.populateCollectionJobs.create
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.populateCollectionJobs.run
commerceorggovernance.populateCollectionJobs.update
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Governed Marketplace User
Beta
(roles/commerceorggovernance.user )
Full access to Governed Marketplace features.
|
commerceorggovernance.services.*
commerceorggovernance.services.get
commerceorggovernance.services.list
commerceorggovernance.services.request
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Organization Governance Viewer
Beta
(roles/commerceorggovernance.viewer )
Full access to Organization Governance read-only APIs.
|
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.organizationSettings.get
commerceorggovernance.populateCollectionJobs.list
commerceorggovernance.services.get
commerceorggovernance.services.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Events Viewer
Beta
(roles/commercepricemanagement.eventsViewer )
Allows viewing key events for an offer
|
commerceprice.events.*
commerceprice.events.get
commerceprice.events.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Price Management Private Offers Admin
Beta
(roles/commercepricemanagement.privateOffersAdmin )
Allows managing private offers
|
commerceagreementpublishing.*
commerceagreementpublishing.agreements.create
commerceagreementpublishing.agreements.delete
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.agreements.update
commerceagreementpublishing.documents.create
commerceagreementpublishing.documents.delete
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceagreementpublishing.documents.update
commerceprice.*
commerceprice.events.get
commerceprice.events.list
commerceprice.privateoffers.cancel
commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.sendEmail
commerceprice.privateoffers.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Price Management Viewer
Beta
(roles/commercepricemanagement.viewer )
Allows viewing offers, free trials, skus
|
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Commerce Producer Admin
Beta
(roles/commerceproducer.admin )
Grants full access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Commerce Producer Viewer
Beta
(roles/commerceproducer.viewer )
Grants read access to all resources in Cloud Commerce Producer API.
|
commercebusinessenablement.partnerInfo.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Consumer Procurement Entitlement Manager
(roles/consumerprocurement.entitlementManager )
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.*
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Entitlement Viewer
(roles/consumerprocurement.entitlementViewer )
Allows inspecting entitlements and service states for a consumer project.
|
commerceoffercatalog.offers.get
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Events Viewer
(roles/consumerprocurement.eventsViewer )
Allows viewing key events for an offer
|
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
|
Consumer Procurement License Pool Editor
(roles/consumerprocurement.licensePoolEditor )
Allows managing license pools and license assignments.
|
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
|
Consumer Procurement License Pool Viewer
(roles/consumerprocurement.licensePoolViewer )
Allows viewing license pools and license assignments.
|
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
|
Consumer Procurement Order Administrator
(roles/consumerprocurement.orderAdmin )
Allows managing purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.events.*
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.licensePools.*
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.*
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.*
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
|
Consumer Procurement Order Viewer
(roles/consumerprocurement.orderViewer )
Allows inspecting purchases.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
|
Consumer Procurement Administrator
(roles/consumerprocurement.procurementAdmin )
Allows managing purchases, consents at both billing account and project level.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.*
consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.assign
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.licensePools.unassign
consumerprocurement.licensePools.update
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
|
Consumer Procurement Viewer
(roles/consumerprocurement.procurementViewer )
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
|
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.check
consumerprocurement.consents.list
consumerprocurement.entitlements.*
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.licensePools.enumerateLicensedUsers
consumerprocurement.licensePools.get
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
|
Granting IAM roles to users
From the roles in the table above, the
consumerprocurement.orderAdmin
and consumerprocurement.orderViewer
roles
must be assigned at the billing account or organization level, and the
consumerprocurement.entitlementManager
and consumerprocurement.entitlementViewer
roles must be assigned at the project or organization level.
To grant roles to users using gcloud
, run one of the following commands:
Organization
You must have the resourcemanager.organizationAdmin
role to assign roles at the organization level.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
The placeholder values are:
- organization-id: The numeric ID of the organization that you are granting the
role for.
- member: The user that you are granting access to.
- role-id: The role ID, from the previous table.
Billing account
You must have the billing.admin
role to assign roles at the billing account level.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
The placeholder values are:
- account-id: Your billing account ID, which
you can get from the Manage billing accounts page.
- policy-file: An IAM policy file,
in JSON or YAML format. The policy file must contain the role IDs from
the previous table, and the users that you are assigning the roles to.
Project
You must have the resourcemanager.folderAdmin
role to assign roles at the project level.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
The placeholder values are:
- project-id: The project that you are granting the
role for.
- member: The user that you are granting access to.
- role-id: The role ID, from the previous table.
To grant roles to users using the Google Cloud console, see the IAM
documentation on Granting, changing, and revoking access for users.
Using custom roles with Cloud Marketplace
If you want granular control over the permissions you grant users, you can
create custom roles with the permissions
that you want to grant.
If you're creating a custom role for users who purchase services from
Cloud Marketplace, the role must include these permissions for the
billing account they use to purchase services:
Accessing partner websites with Single Sign-on (SSO)
Certain Marketplace products support Single Sign-on (SSO) to a partner's
external website. Authorized users within the organization have access to
a "MANAGE ON PROVIDER" button on the product details page. This
button directs users to the partner's website. In some cases, users are
prompted to "Sign in with Google". In other cases, users are signed in a
shared account context.
In order to access the SSO capability, users navigate to the product
details page, and select an appropriate project. The project must be linked to
a billing account where the plan has been purchased. For details about Marketplace
plan management, see
Managing billing plans.
Additionally, the user must have sufficient IAM permissions within the selected
project. For most products, the roles/consumerprocurement.entitlementManager
(or
roles/editor
basic role) is currently required.
Minimal permissions for specific products
The following products can operate on a different set of permissions to access
SSO capabilities:
- Apache Kafka on Confluent Cloud
- DataStax Astra for Apache Cassandra
- Elastic Cloud
- Neo4j Aura Professional
- Redis Enterprise Cloud
For these products, you can use the following minimal permissions:
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
serviceusage.services.get
serviceusage.services.list
resourcemanager.projects.get
These permissions are typically granted with the
roles/consumerprocurement.entitlementManager
or
roles/consumerprocurement.entitlementViewer
roles.