IAM roles and permissions

This document lists the roles and permissions you need on different projects to use Workload Manager evaluation and to automatically create Workload Manager service accounts for running the evaluation.

Workload Manager projects

Workload Manager evaluations scan resources across multiple projects which are called target projects, but the evaluation is stored in only one project called a consumer project.

You use the consumer project to access Workload Manager in the Google Cloud console, and to create and run evaluations. When you create an evaluation using the Google Cloud console, in the Evaluation scope section of the workflow, you specify the target projects that hold the resources you want to evaluate.

If the resources to evaluate are present in the same project where you create a Workload Manager evaluation, then the consumer project is also considered as one of your target projects.

Summary of required permissions to create and run an evaluation

The following table summarizes the permissions required for users in the consumer and target projects to create and run evaluations using Workload Manager. To get the permission that you need, ask your administrator to grant you a role that includes the required permission or create a custom role.

Action Consumer project Target project
Enable Workload Manager API Permission:
serviceusage.services.enable

Predefined role that includes the permission:
roles/serviceusage.serviceUsageAdmin
None
Create an evaluation 1. Permission to create a service account:
resourcemanager.projects.setIamPolicy

Predefined role that includes the permission:
roles/resourcemanager.projectIamAdmin

Required only when you create the first evaluation.

2. Predefined role that grants permission to create an evaluation:
roles/workloadmanager.evaluationAdmin

Permission to create a service account:
resourcemanager.projects.setIamPolicy

Predefined role that includes the permission:
roles/resourcemanager.projectIamAdmin

Required only when you create the first evaluation.

Run an evaluation Permission:
workloadmanager.evaluations.run

Predefined role that includes the permission:
roles/workloadmanager.evaluationAdmin

None

View evaluation results Permission:
workloadmanager.results.list

Predefined role that includes the permission:
roles/workloadmanager.evaluationAdmin
or
roles/workloadmanager.evaluationViewer
None

Workload Manager service agents

Workload Manager uses service agents to control access and communication between resources and the associated projects. Workload Manager creates all required service agents automatically after you create an evaluation.

To get the permission that you need to automatically create a service agent after you create the first evaluation, ask your administrator to grant you the Project IAM Admin (roles/resourcemanager.projectIamAdmin) IAM role on each target project in scope. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the resourcemanager.projects.setIamPolicy permission, which is required to automatically create a service agent after you create the first evaluation.

You might also be able to get this permission with custom roles or other predefined roles.

The email for this service agent is service-PROJECT_NUMBER@gcp-sa-workloadmanager.iam.gserviceaccount.com, and it is called Workload Manager Service Account. Workload Manager service agents are given the following roles required to run evaluations in the target projects if they don't already exist:

  • Workload Manager Service Agent (roles/workloadmanager.serviceAgent)
  • Workload Manager Worker (roles/workloadmanager.worker)

Additional Workload Manager roles

Users require additional Workload Manager roles to control further access to Workload Manager evaluations and resources.

For more information, see Workload Manager: Access control with IAM.

What's next