Cloud Key Management Service roles and permissions

`cloudkms.autokeyConfigs.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey Admin (roles/cloudkms.autokeyAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.autokeyConfigs.update`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey Admin (roles/cloudkms.autokeyAdmin)

`cloudkms.cryptoKeyVersions.create`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

`cloudkms.cryptoKeyVersions.destroy`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

`cloudkms.cryptoKeyVersions.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.cryptoKeyVersions.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.cryptoKeyVersions.manageRawAesCbcKeys`

Owner (roles/owner)

Cloud KMS Expert Raw AES-CBC Key Manager (roles/cloudkms.expertRawAesCbc)

`cloudkms.cryptoKeyVersions.manageRawAesCtrKeys`

Owner (roles/owner)

Cloud KMS Expert Raw AES-CTR Key Manager (roles/cloudkms.expertRawAesCtr)

`cloudkms.cryptoKeyVersions.manageRawPKCS1Keys`

Owner (roles/owner)

Cloud KMS Expert Raw PKCS#1 Key Manager (roles/cloudkms.expertRawPKCS1)

`cloudkms.cryptoKeyVersions.restore`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

`cloudkms.cryptoKeyVersions.update`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

`cloudkms.cryptoKeyVersions.useToDecapsulate`

Owner (roles/owner)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Decapsulator (roles/cloudkms.decapsulator)

`cloudkms.cryptoKeyVersions.useToDecrypt`

Owner (roles/owner)

Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Data Scientist (roles/iam.dataScientist)

Dev Ops (roles/iam.devOps)

Service agent roles

DLP API Service Agent (roles/dlp.serviceAgent)
Cloud KMS KACLS Service Agent (roles/cloudkmskacls.serviceAgent)

`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Decrypter Via Delegation (roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

`cloudkms.cryptoKeyVersions.useToEncrypt`

Owner (roles/owner)

Cloud KMS CryptoKey Encrypter (roles/cloudkms.cryptoKeyEncrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Data Scientist (roles/iam.dataScientist)

Dev Ops (roles/iam.devOps)

Service agent roles

Cloud KMS KACLS Service Agent (roles/cloudkmskacls.serviceAgent)

`cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterViaDelegation)

`cloudkms.cryptoKeyVersions.useToSign`

Owner (roles/owner)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Signer (roles/cloudkms.signer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

`cloudkms.cryptoKeyVersions.useToVerify`

Owner (roles/owner)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

`cloudkms.cryptoKeyVersions.viewPublicKey`

Owner (roles/owner)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Decapsulator (roles/cloudkms.decapsulator)

Cloud KMS CryptoKey Public Key Viewer (roles/cloudkms.publicKeyViewer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

`cloudkms.cryptoKeys.create`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Service agent roles

Cloud KMS Service Agent (roles/cloudkms.serviceAgent)
Assured Workloads Service Agent (roles/assuredworkloads.serviceAgent)

`cloudkms.cryptoKeys.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Cloud KMS KACLS Service Agent (roles/cloudkmskacls.serviceAgent)
Cloud Security Compliance Service Agent (roles/cloudsecuritycompliance.serviceAgent)
Audit Manager Auditing Service Agent (roles/auditmanager.serviceAgent)

`cloudkms.cryptoKeys.getIamPolicy`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Cloud KMS Service Agent (roles/cloudkms.serviceAgent)

`cloudkms.cryptoKeys.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Cloud Security Compliance Service Agent (roles/cloudsecuritycompliance.serviceAgent)
Audit Manager Auditing Service Agent (roles/auditmanager.serviceAgent)

`cloudkms.cryptoKeys.setIamPolicy`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Cloud KMS Service Agent (roles/cloudkms.serviceAgent)

`cloudkms.cryptoKeys.update`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

`cloudkms.ekmConfigs.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.ekmConfigs.getIamPolicy`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

`cloudkms.ekmConfigs.setIamPolicy`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

`cloudkms.ekmConfigs.update`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

`cloudkms.ekmConnections.create`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

`cloudkms.ekmConnections.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Cloud Controls Partner EKM Service Agent (roles/cloudcontrolspartner.ekmServiceAgent)

`cloudkms.ekmConnections.getIamPolicy`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Cloud Controls Partner EKM Service Agent (roles/cloudcontrolspartner.ekmServiceAgent)

`cloudkms.ekmConnections.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Cloud Controls Partner EKM Service Agent (roles/cloudcontrolspartner.ekmServiceAgent)

`cloudkms.ekmConnections.setIamPolicy`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

`cloudkms.ekmConnections.update`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

`cloudkms.ekmConnections.use`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

`cloudkms.ekmConnections.verifyConnectivity`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Support User (roles/iam.supportUser)

Service agent roles

Cloud Controls Partner EKM Service Agent (roles/cloudcontrolspartner.ekmServiceAgent)

`cloudkms.importJobs.create`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

`cloudkms.importJobs.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.importJobs.getIamPolicy`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

`cloudkms.importJobs.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.importJobs.setIamPolicy`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

`cloudkms.importJobs.useToImport`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

`cloudkms.kajPolicyConfigs.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Key Access Justifications Policy Config Admin (roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.kajPolicyConfigs.update`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Key Access Justifications Policy Config Admin (roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin)

`cloudkms.keyHandles.create`

Owner (roles/owner)

Editor (roles/editor)

AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

Dataproc Administrator (roles/dataproc.admin)

Dataproc Editor (roles/dataproc.editor)

Dataproc Serverless Editor (roles/dataproc.serverlessEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Dev Ops (roles/iam.devOps)

Infrastructure Administrator (roles/iam.infrastructureAdmin)

ML Engineer (roles/iam.mlEngineer)

Network Administrator (roles/iam.networkAdmin)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Pub/Sub Admin (roles/pubsub.admin)

Pub/Sub Editor (roles/pubsub.editor)

Cloud Memorystore Redis Admin (roles/redis.admin)

Cloud Run Source Developer (roles/run.sourceDeveloper)

Secret Manager Admin (roles/secretmanager.admin)

Secure Source Manager Admin (roles/securesourcemanager.admin)

Secure Source Manager Instance Owner (roles/securesourcemanager.instanceOwner)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

`cloudkms.keyHandles.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud KMS Viewer (roles/cloudkms.viewer)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

Dataproc Administrator (roles/dataproc.admin)

Dataproc Editor (roles/dataproc.editor)

Dataproc Serverless Editor (roles/dataproc.serverlessEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Dev Ops (roles/iam.devOps)

Infrastructure Administrator (roles/iam.infrastructureAdmin)

ML Engineer (roles/iam.mlEngineer)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Pub/Sub Admin (roles/pubsub.admin)

Pub/Sub Editor (roles/pubsub.editor)

Cloud Memorystore Redis Admin (roles/redis.admin)

Cloud Run Source Developer (roles/run.sourceDeveloper)

Secret Manager Admin (roles/secretmanager.admin)

Secure Source Manager Admin (roles/securesourcemanager.admin)

Secure Source Manager Instance Owner (roles/securesourcemanager.instanceOwner)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

`cloudkms.keyHandles.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud KMS Viewer (roles/cloudkms.viewer)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

Dataproc Administrator (roles/dataproc.admin)

Dataproc Editor (roles/dataproc.editor)

Dataproc Serverless Editor (roles/dataproc.serverlessEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Dev Ops (roles/iam.devOps)

Infrastructure Administrator (roles/iam.infrastructureAdmin)

ML Engineer (roles/iam.mlEngineer)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Pub/Sub Admin (roles/pubsub.admin)

Pub/Sub Editor (roles/pubsub.editor)

Cloud Memorystore Redis Admin (roles/redis.admin)

Cloud Run Source Developer (roles/run.sourceDeveloper)

Secret Manager Admin (roles/secretmanager.admin)

Secure Source Manager Admin (roles/securesourcemanager.admin)

Secure Source Manager Instance Owner (roles/securesourcemanager.instanceOwner)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

`cloudkms.keyRings.create`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Service agent roles

Cloud KMS Service Agent (roles/cloudkms.serviceAgent)
Assured Workloads Service Agent (roles/assuredworkloads.serviceAgent)

`cloudkms.keyRings.createTagBinding`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

`cloudkms.keyRings.deleteTagBinding`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

`cloudkms.keyRings.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Cloud KMS Service Agent (roles/cloudkms.serviceAgent)

`cloudkms.keyRings.getIamPolicy`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

`cloudkms.keyRings.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

Cloud Security Compliance Service Agent (roles/cloudsecuritycompliance.serviceAgent)
Audit Manager Auditing Service Agent (roles/auditmanager.serviceAgent)

`cloudkms.keyRings.listEffectiveTags`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

`cloudkms.keyRings.listTagBindings`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

`cloudkms.keyRings.setIamPolicy`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

`cloudkms.locations.generateRandomBytes`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Support User (roles/iam.supportUser)

`cloudkms.locations.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter)

Cloud KMS CryptoKey Decrypter Via Delegation (roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter (roles/cloudkms.cryptoKeyEncrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Decapsulator (roles/cloudkms.decapsulator)

Cloud KMS Expert Raw AES-CBC Key Manager (roles/cloudkms.expertRawAesCbc)

Cloud KMS Expert Raw AES-CTR Key Manager (roles/cloudkms.expertRawAesCtr)

Cloud KMS Expert Raw PKCS#1 Key Manager (roles/cloudkms.expertRawPKCS1)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS CryptoKey Public Key Viewer (roles/cloudkms.publicKeyViewer)

Cloud KMS CryptoKey Signer (roles/cloudkms.signer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Dev Ops (roles/iam.devOps)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

DLP API Service Agent (roles/dlp.serviceAgent)

`cloudkms.locations.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter)

Cloud KMS CryptoKey Decrypter Via Delegation (roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter (roles/cloudkms.cryptoKeyEncrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Decapsulator (roles/cloudkms.decapsulator)

Cloud KMS Expert Raw AES-CBC Key Manager (roles/cloudkms.expertRawAesCbc)

Cloud KMS Expert Raw AES-CTR Key Manager (roles/cloudkms.expertRawAesCtr)

Cloud KMS Expert Raw PKCS#1 Key Manager (roles/cloudkms.expertRawPKCS1)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS CryptoKey Public Key Viewer (roles/cloudkms.publicKeyViewer)

Cloud KMS CryptoKey Signer (roles/cloudkms.signer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Dev Ops (roles/iam.devOps)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Service agent roles

DLP API Service Agent (roles/dlp.serviceAgent)

`cloudkms.locations.optOutKeyDeletionMsa`

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

`cloudkms.operations.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud KMS single-tenant HSM Executor (roles/cloudkms.hsmSingleTenantExecutor)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

Cloud KMS single-tenant HSM Quorum Member (roles/cloudkms.hsmSingleTenantQuorumMember)

Cloud KMS Viewer (roles/cloudkms.viewer)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

Dataproc Administrator (roles/dataproc.admin)

Dataproc Editor (roles/dataproc.editor)

Dataproc Serverless Editor (roles/dataproc.serverlessEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Dev Ops (roles/iam.devOps)

Infrastructure Administrator (roles/iam.infrastructureAdmin)

ML Engineer (roles/iam.mlEngineer)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Pub/Sub Admin (roles/pubsub.admin)

Pub/Sub Editor (roles/pubsub.editor)

Cloud Memorystore Redis Admin (roles/redis.admin)

Cloud Run Source Developer (roles/run.sourceDeveloper)

Secret Manager Admin (roles/secretmanager.admin)

Secure Source Manager Admin (roles/securesourcemanager.admin)

Secure Source Manager Instance Owner (roles/securesourcemanager.instanceOwner)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

`cloudkms.projects.showEffectiveAutokeyConfig`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery Studio User (roles/bigquery.studioUser)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey Admin (roles/cloudkms.autokeyAdmin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

Dataproc Administrator (roles/dataproc.admin)

Dataproc Editor (roles/dataproc.editor)

Dataproc Serverless Editor (roles/dataproc.serverlessEditor)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Data Scientist (roles/iam.dataScientist)

Databases Admin (roles/iam.databasesAdmin)

Dev Ops (roles/iam.devOps)

Infrastructure Administrator (roles/iam.infrastructureAdmin)

ML Engineer (roles/iam.mlEngineer)

Network Administrator (roles/iam.networkAdmin)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Pub/Sub Admin (roles/pubsub.admin)

Pub/Sub Editor (roles/pubsub.editor)

Cloud Memorystore Redis Admin (roles/redis.admin)

Cloud Run Source Developer (roles/run.sourceDeveloper)

Secret Manager Admin (roles/secretmanager.admin)

Secure Source Manager Admin (roles/securesourcemanager.admin)

Secure Source Manager Instance Owner (roles/securesourcemanager.instanceOwner)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

`cloudkms.projects.showEffectiveKajEnrollmentConfig`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Key Access Justifications Enrollment Viewer (roles/cloudkms.keyAccessJustificationsEnrollmentConfigViewer)

Support User (roles/iam.supportUser)

`cloudkms.projects.showEffectiveKajPolicyConfig`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Key Access Justifications Policy Config Admin (roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin)

Support User (roles/iam.supportUser)

`cloudkms.protectedResources.search`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Protected Resources Viewer (roles/cloudkms.protectedResourcesViewer)

Support User (roles/iam.supportUser)

`cloudkms.singleTenantHsmInstanceProposals.approve`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS single-tenant HSM Quorum Member (roles/cloudkms.hsmSingleTenantQuorumMember)

`cloudkms.singleTenantHsmInstanceProposals.create`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

`cloudkms.singleTenantHsmInstanceProposals.delete`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

`cloudkms.singleTenantHsmInstanceProposals.execute`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS single-tenant HSM Executor (roles/cloudkms.hsmSingleTenantExecutor)

`cloudkms.singleTenantHsmInstanceProposals.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS single-tenant HSM Executor (roles/cloudkms.hsmSingleTenantExecutor)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

Cloud KMS single-tenant HSM Quorum Member (roles/cloudkms.hsmSingleTenantQuorumMember)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.singleTenantHsmInstanceProposals.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS single-tenant HSM Executor (roles/cloudkms.hsmSingleTenantExecutor)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

Cloud KMS single-tenant HSM Quorum Member (roles/cloudkms.hsmSingleTenantQuorumMember)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.singleTenantHsmInstances.create`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

`cloudkms.singleTenantHsmInstances.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS single-tenant HSM Executor (roles/cloudkms.hsmSingleTenantExecutor)

Cloud KMS single-tenant HSM Key Creator (roles/cloudkms.hsmSingleTenantKeyCreator)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

Cloud KMS single-tenant HSM Quorum Member (roles/cloudkms.hsmSingleTenantQuorumMember)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Auditor (roles/iam.securityAuditor)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.singleTenantHsmInstances.list`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS single-tenant HSM Executor (roles/cloudkms.hsmSingleTenantExecutor)

Cloud KMS single-tenant HSM Key Creator (roles/cloudkms.hsmSingleTenantKeyCreator)

Cloud KMS single-tenant HSM Proposer (roles/cloudkms.hsmSingleTenantProposer)

Cloud KMS single-tenant HSM Quorum Member (roles/cloudkms.hsmSingleTenantQuorumMember)

Cloud KMS Viewer (roles/cloudkms.viewer)

Databases Admin (roles/iam.databasesAdmin)

ML Engineer (roles/iam.mlEngineer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Site Reliability Engineer (roles/iam.siteReliabilityEngineer)

Support User (roles/iam.supportUser)

`cloudkms.singleTenantHsmInstances.use`

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS single-tenant HSM Key Creator (roles/cloudkms.hsmSingleTenantKeyCreator)