GCP Predefined Roles Finder

GCP Predefined Roles Finder - codehex.dev

Access Approval Approver

roles/accessapproval.approver

Ability to view or act on access approval requests and view configuration

accessapproval.requests.*
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list

Access Approval Config Editor

roles/accessapproval.configEditor

Ability to update the Access Approval configuration

accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list

Access Approval Viewer

roles/accessapproval.viewer

Ability to view access approval requests and configuration

accessapproval.requests.get
accessapproval.requests.list
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Access Binding Admin

roles/accesscontextmanager.gcpAccessAdmin

Create, edit, and change Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.*

Cloud Access Binding Reader

roles/accesscontextmanager.gcpAccessReader

Read access to Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.get
accesscontextmanager.gcpUserAccessBindings.list

Access Context Manager Admin

roles/accesscontextmanager.policyAdmin

Full access to policies, access levels, and access zones

accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.*
accesscontextmanager.accessZones.*
accesscontextmanager.policies.*
accesscontextmanager.servicePerimeters.*
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Access Context Manager Editor

roles/accesscontextmanager.policyEditor

Edit access to policies. Create, edit, and change access levels and access zones.

accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Access Context Manager Reader

roles/accesscontextmanager.policyReader

Read access to policies, access levels, and access zones.

accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

VPC Service Controls Troubleshooter Viewer

roles/accesscontextmanager.vpcScTroubleshooterViewer

accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Actions Admin

roles/actions.Admin

Access to edit and deploy an action

actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use

Actions Viewer

roles/actions.Viewer

Access to view an action

actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use

Notebooks Admin

roles/notebooks.admin

Full access to Notebooks, all resources.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Notebooks Legacy Admin

roles/notebooks.legacyAdmin

Full access to Notebooks all resources through compute API.

compute.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Notebooks Legacy Viewer

roles/notebooks.legacyViewer

Read-only access to Notebooks all resources through compute API.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.instances.checkUpgradability
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Notebooks Runner

roles/notebooks.runner

Restricted access for running scheduled Notebooks.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.executions.create
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.instances.checkUpgradability
notebooks.instances.create
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.create
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.schedules.create
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Notebooks Viewer

roles/notebooks.viewer

Read-only access to Notebooks, all resources.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.instances.checkUpgradability
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

AI Platform Admin

roles/ml.admin

Provides full access to AI Platform resources, and its jobs, operations, models, and versions.

ml.*
resourcemanager.projects.get

AI Platform Developer

roles/ml.developer

Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.

ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.*
ml.studies.*
ml.trials.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get

AI Platform Job Owner

roles/ml.jobOwner

Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.

ml.jobs.*

AI Platform Model Owner

roles/ml.modelOwner

Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.

ml.models.*
ml.versions.*

AI Platform Model User

roles/ml.modelUser

Provides permissions to read the model and its versions, and use them for prediction.

ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict

AI Platform Operation Owner

roles/ml.operationOwner

Provides full access to all permissions for a particular operation resource.

ml.operations.*

AI Platform Viewer

roles/ml.viewer

Provides read-only access to AI Platform resources.

ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.*
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.trials.get
ml.trials.list
ml.versions.get
ml.versions.list
resourcemanager.projects.get

Analytics Hub Admin

roles/analyticshub.admin

Administer Data Exchanges and Listings

analyticshub.dataExchanges.*
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.update
resourcemanager.projects.get
resourcemanager.projects.list

Analytics Hub Listing Admin

roles/analyticshub.listingAdmin

Grants full control over the Listing, including updating, deleting and setting ACLs

analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.update
resourcemanager.projects.get
resourcemanager.projects.list

Analytics Hub Publisher

roles/analyticshub.publisher

Can publish to Data Exchanges thus creating Listings

analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.create
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list

Analytics Hub Subscriber

roles/analyticshub.subscriber

Can browse Data Exchanges and subscribe to Listings

analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.subscribe
resourcemanager.projects.get
resourcemanager.projects.list

Analytics Hub Viewer

roles/analyticshub.viewer

Can browse Data Exchanges and Listings

analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list

Android Management User

roles/androidmanagement.user

Full access to manage devices.

androidmanagement.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Anthos Multi-cloud Admin

roles/gkemulticloud.admin

Admin access to Anthos Multi-cloud resources.

gkemulticloud.*
resourcemanager.projects.get
resourcemanager.projects.list

Anthos Multi-cloud Telemetry Writer

roles/gkemulticloud.telemetryWriter

Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.

logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
opsconfigmonitoring.resourceMetadata.write

Anthos Multi-cloud Viewer

roles/gkemulticloud.viewer

Viewer access to Anthos Multi-cloud resources.

gkemulticloud.awsClusters.generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.get
gkemulticloud.awsNodePools.list
gkemulticloud.awsServerConfigs.*
gkemulticloud.azureClients.get
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.generateAccessToken
gkemulticloud.azureClusters.get
gkemulticloud.azureClusters.list
gkemulticloud.azureNodePools.get
gkemulticloud.azureNodePools.list
gkemulticloud.azureServerConfigs.*
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

ApiGateway Admin

roles/apigateway.admin

Full access to ApiGateway and related resources.

apigateway.*
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

ApiGateway Viewer

roles/apigateway.viewer

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

Apigee Organization Admin

roles/apigee.admin

Full access to all apigee resource features

apigee.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Apigee Analytics Agent

roles/apigee.analyticsAgent

Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization

apigee.environments.getDataLocation
apigee.runtimeconfigs.*

Apigee Analytics Editor

roles/apigee.analyticsEditor

Analytics editor for an Apigee Organization

apigee.datacollectors.*
apigee.datastores.*
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.*
apigee.organizations.get
apigee.organizations.list
apigee.queries.*
apigee.reports.*
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Analytics Viewer

roles/apigee.analyticsViewer

Analytics viewer for an Apigee Organization

apigee.datacollectors.get
apigee.datacollectors.list
apigee.datastores.get
apigee.datastores.list
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.*
apigee.organizations.get
apigee.organizations.list
apigee.queries.get
apigee.queries.list
apigee.reports.get
apigee.reports.list
resourcemanager.projects.get
resourcemanager.projects.list

Apigee API Admin

roles/apigee.apiAdminV2

Full read/write access to all apigee API resources

apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.list
apigee.organizations.get
apigee.organizations.list
apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get
resourcemanager.projects.list

Apigee API Reader

roles/apigee.apiReaderV2

Reader of apigee resources

apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.list
apigee.organizations.get
apigee.organizations.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflows.get
apigee.sharedflows.list
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Developer Admin

roles/apigee.developerAdmin

Developer admin of apigee resources

apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee.developerappattributes.*
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee.developermonetizationconfigs.*
apigee.developers.*
apigee.developersubscriptions.*
apigee.environments.get
apigee.environments.getStats
apigee.hoststats.*
apigee.organizations.get
apigee.organizations.list
apigee.rateplans.get
apigee.rateplans.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Apigee Environment Admin

roles/apigee.environmentAdmin

Full read/write access to apigee environment resources, including deployments.

apigee.archivedeployments.*
apigee.datacollectors.get
apigee.datacollectors.list
apigee.deployments.*
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.environments.setIamPolicy
apigee.environments.update
apigee.flowhooks.*
apigee.ingressconfigs.*
apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get
apigee.organizations.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.references.*
apigee.resourcefiles.*
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Apigee Monetization Admin

roles/apigee.monetizationAdmin

All permissions related to monetization

apigee.apiproducts.get
apigee.apiproducts.list
apigee.developerbalances.*
apigee.developermonetizationconfigs.*
apigee.developersubscriptions.*
apigee.organizations.get
apigee.organizations.list
apigee.rateplans.*
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Portal Admin

roles/apigee.portalAdmin

Portal admin for an Apigee Organization

apigee.organizations.get
apigee.organizations.list
apigee.portals.*
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Read-only Admin

roles/apigee.readOnlyAdmin

Viewer of all apigee resources

apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.get
apigee.apps.*
apigee.archivedeployments.download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.caches.list
apigee.canaryevaluations.get
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datastores.get
apigee.datastores.list
apigee.deployments.get
apigee.deployments.list
apigee.developerappattributes.get
apigee.developerappattributes.list
apigee.developerapps.get
apigee.developerapps.list
apigee.developerattributes.get
apigee.developerattributes.list
apigee.developerbalances.get
apigee.developermonetizationconfigs.get
apigee.developers.get
apigee.developers.list
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getDataLocation
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list
apigee.hoststats.*
apigee.ingressconfigs.*
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.instances.get
apigee.instances.list
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.operations.*
apigee.organizations.get
apigee.organizations.list
apigee.portals.get
apigee.portals.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.queries.get
apigee.queries.list
apigee.rateplans.get
apigee.rateplans.list
apigee.references.get
apigee.references.list
apigee.reports.get
apigee.reports.list
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.runtimeconfigs.*
apigee.securityreports.get
apigee.securityreports.list
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.get
apigee.targetservers.list
apigee.tracesessions.get
apigee.tracesessions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Apigee Runtime Agent

roles/apigee.runtimeAgent

Curated set of permissions for a runtime agent to access Apigee Organization resources

apigee.canaryevaluations.*
apigee.ingressconfigs.*
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.runtimeconfigs.*

Apigee Security Admin

roles/apigee.securityAdmin

Security admin for an Apigee Organization

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.*
apigee.organizations.get
apigee.organizations.list
apigee.securityreports.*
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Security Viewer

roles/apigee.securityViewer

Security viewer for an Apigee Organization

apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list
apigee.organizations.get
apigee.organizations.list
apigee.securityreports.get
apigee.securityreports.list
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Synchronizer Manager

roles/apigee.synchronizerManager

Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization

apigee.environments.get
apigee.environments.manageRuntime
apigee.ingressconfigs.*

Apigee Connect Admin

roles/apigeeconnect.Admin

Admin of Apigee Connect

apigeeconnect.connections.*

Apigee Connect Agent

roles/apigeeconnect.Agent

Ability to set up Apigee Connect agent between external clusters and Google.

apigeeconnect.endpoints.*

Cloud Apigee Registry Admin

roles/apigeeregistry.admin

Full access to Cloud Apigee Registry Registry and Runtime resources.

apigeeregistry.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Apigee Registry Editor

roles/apigeeregistry.editor

Edit access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.*
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Apigee Registry Viewer

roles/apigeeregistry.viewer

Read-only access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.versions.get
apigeeregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Apigee Registry Worker

roles/apigeeregistry.worker

The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.

apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Admin

roles/appengine.appAdmin

Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Creator

roles/appengine.appCreator

Ability to create the App Engine resource for the project.

appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Viewer

roles/appengine.appViewer

Read-only access to all application configuration and settings.

appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Code Viewer

roles/appengine.codeViewer

Read-only access to all application configuration, settings, and deployed source code.

appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Deployer

roles/appengine.deployer

Read-only access to all application configuration and settings. To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project. Cannot modify existing versions other than deleting versions that are not receiving traffic.

appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Service Admin

roles/appengine.serviceAdmin

Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version.

appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list

Artifact Registry Administrator

roles/artifactregistry.admin

Administrator access to create and manage repositories.

artifactregistry.*

Artifact Registry Reader

roles/artifactregistry.reader

Access to read repository items.

artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list

Artifact Registry Repository Administrator

roles/artifactregistry.repoAdmin

Access to manage artifacts in repositories.

artifactregistry.aptartifacts.*
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.*
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.yumartifacts.*

Artifact Registry Writer

roles/artifactregistry.writer

Access to read and write repository items.

artifactregistry.aptartifacts.*
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.*

Assured Workloads Administrator

roles/assuredworkloads.admin

Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.create
resourcemanager.projects.get
resourcemanager.projects.list

Assured Workloads Editor

roles/assuredworkloads.editor

Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.create
resourcemanager.projects.get
resourcemanager.projects.list

Assured Workloads Reader

roles/assuredworkloads.reader

Grants read access to all Assured Workloads resources and CRM resources - project/folder

assuredworkloads.operations.*
assuredworkloads.violations.*
assuredworkloads.workload.get
assuredworkloads.workload.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

AutoML Admin

roles/automl.admin

Full access to all AutoML resources

automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

AutoML Editor

roles/automl.editor

Editor of all AutoML resources

automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

AutoML Predictor

roles/automl.predictor

Predict using models

automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list

AutoML Viewer

roles/automl.viewer

Viewer of all AutoML resources

automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

Backup for GKE Admin

roles/gkebackup.admin

Full access to all Backup for GKE resources.

gkebackup.*
resourcemanager.projects.get
resourcemanager.projects.list

Backup for GKE Backup Admin

roles/gkebackup.backupAdmin

Allows administrators to manage all BackupPlan and Backup resources.

gkebackup.backupPlans.*
gkebackup.backups.*
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.volumeBackups.*
resourcemanager.projects.get
resourcemanager.projects.list

Backup for GKE Delegated Backup Admin

roles/gkebackup.delegatedBackupAdmin

Allows administrators to manage Backup resources for specific BackupPlans

gkebackup.backupPlans.get
gkebackup.backups.*
gkebackup.volumeBackups.*

Backup for GKE Delegated Restore Admin

roles/gkebackup.delegatedRestoreAdmin

Allows administrators to manage Restore resources for specific RestorePlans

gkebackup.restorePlans.get
gkebackup.restores.*
gkebackup.volumeRestores.*

Backup for GKE Restore Admin

roles/gkebackup.restoreAdmin

Allows administrators to manage all RestorePlan and Restore resources.

gkebackup.backupPlans.get
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.*
gkebackup.restores.*
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list

Backup for GKE Viewer

roles/gkebackup.viewer

Read-only access to all Backup for GKE resources.

gkebackup.backupPlans.get
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.get
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restores.get
gkebackup.restores.list
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Admin

roles/bigquery.admin

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.*
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.translation.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Connection Admin

roles/bigquery.connectionAdmin

bigquery.connections.*

BigQuery Connection User

roles/bigquery.connectionUser

bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use

BigQuery Data Editor

roles/bigquery.dataEditor

When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.

bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Data Owner

roles/bigquery.dataOwner

When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.

bigquery.config.get
bigquery.dataPolicies.*
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Data Viewer

roles/bigquery.dataViewer

When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Filtered Data Viewer

roles/bigquery.filteredDataViewer

Access to view filtered table data defined by a row access policy

bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User

roles/bigquery.jobUser

Provides permissions to run jobs, including queries, within the project.

bigquery.config.get
bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Metadata Viewer

roles/bigquery.metadataViewer

When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Read Session User

roles/bigquery.readSessionUser

Access to create and use read sessions

bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Resource Admin

roles/bigquery.resourceAdmin

Administer all BigQuery resources.

bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.*
bigquery.reservations.*
recommender.bigqueryCapacityCommitmentsInsights.*
recommender.bigqueryCapacityCommitmentsRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Resource Editor

roles/bigquery.resourceEditor

Manage all BigQuery resources, but cannot make purchasing decisions.

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.*
bigquery.reservations.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Resource Viewer

roles/bigquery.resourceViewer

View all BigQuery resources but cannot make changes or purchasing decisions.

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery User

roles/bigquery.user

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration.translation.*
resourcemanager.projects.get
resourcemanager.projects.list

Billing Account Administrator

roles/billing.admin

Provides access to see and manage all aspects of billing accounts.

billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getPricing
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
commerceoffercatalog.*
consumerprocurement.accounts.*
consumerprocurement.orderAttributions.*
consumerprocurement.orders.*
dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.groupcontrols.get
dataprocessing.groupcontrols.list
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
recommender.commitmentUtilizationInsights.*
recommender.usageCommitmentRecommendations.*
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment

Billing Account Costs Manager

roles/billing.costsManager

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.resourceAssociations.list

Billing Account Creator

roles/billing.creator

Provides access to create billing accounts.

billing.accounts.create
resourcemanager.organizations.get

Project Billing Manager

roles/billing.projectManager

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment

Billing Account User

roles/billing.user

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create

Billing Account Viewer

roles/billing.viewer

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getPricing
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
commerceoffercatalog.*
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list
dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.groupcontrols.get
dataprocessing.groupcontrols.list
recommender.commitmentUtilizationInsights.get
recommender.commitmentUtilizationInsights.list
recommender.usageCommitmentRecommendations.get
recommender.usageCommitmentRecommendations.list

Binary Authorization Attestor Admin

roles/binaryauthorization.attestorsAdmin

Administrator of Binary Authorization Attestors

binaryauthorization.attestors.*
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Attestor Editor

roles/binaryauthorization.attestorsEditor

Editor of Binary Authorization Attestors

binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Attestor Image Verifier

roles/binaryauthorization.attestorsVerifier

Caller of Binary Authorization Attestors VerifyImageAttested

binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Attestor Viewer

roles/binaryauthorization.attestorsViewer

Viewer of Binary Authorization Attestors

binaryauthorization.attestors.get
binaryauthorization.attestors.list
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Policy Administrator

roles/binaryauthorization.policyAdmin

Administrator of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.*
binaryauthorization.platformPolicies.*
binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Policy Editor

roles/binaryauthorization.policyEditor

Editor of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.update
binaryauthorization.platformPolicies.*
binaryauthorization.policy.evaluatePolicy
binaryauthorization.policy.get
binaryauthorization.policy.update
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Policy Evaluator

roles/binaryauthorization.policyEvaluator

Evaluator of Binary Authorization Policy

binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.policy.evaluatePolicy
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Policy Viewer

roles/binaryauthorization.policyViewer

Viewer of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list

CA Service Admin

roles/privateca.admin

Full access to all CA Service resources.

privateca.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create

CA Service Auditor

roles/privateca.auditor

Read-only access to all CA Service resources.

privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list

CA Service Operation Manager

roles/privateca.caManager

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.update
privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.update
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.update
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.update
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create

CA Service Certificate Manager

roles/privateca.certificateManager

Create certificates and read-only access for CA Service resources.

privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificates.create
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list

CA Service Certificate Requester

roles/privateca.certificateRequester

Request certificates from CA Service.

privateca.certificates.create

CA Service Certificate Template User

roles/privateca.templateUser

Read, list and use certificate templates.

privateca.certificateTemplates.get
privateca.certificateTemplates.list
privateca.certificateTemplates.use

CA Service Workload Certificate Requester

roles/privateca.workloadCertificateRequester

Request certificates from CA Service with caller's identity.

privateca.certificates.createForSelf

Certificate Manager Editor

roles/certificatemanager.editor

Edit access to Certificate Manager all resources.

certificatemanager.certmapentries.create
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.*
certificatemanager.operations.get
certificatemanager.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Certificate Manager Owner

roles/certificatemanager.owner

Full access to Certificate Manager all resources.

certificatemanager.*
resourcemanager.projects.get
resourcemanager.projects.list

Certificate Manager Viewer

roles/certificatemanager.viewer

Read-only access to Certificate Manager all resources.

certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.locations.*
certificatemanager.operations.get
certificatemanager.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Asset Owner

roles/cloudasset.owner

Full access to cloud assets metadata

cloudasset.*
recommender.cloudAssetInsights.*
recommender.locations.*

Cloud Asset Viewer

roles/cloudasset.viewer

Read only access to cloud assets metadata

cloudasset.assets.*
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*

Bigtable Administrator

roles/bigtable.admin

Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.

bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get

Bigtable Reader

roles/bigtable.reader

Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.

bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get

Bigtable User

roles/bigtable.user

Provides read-write access to the data stored within tables. Intended for application developers or service accounts.

bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get

Bigtable Viewer

roles/bigtable.viewer

Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable.

bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get

Cloud Build Approver

roles/cloudbuild.builds.approver

Can approve or reject pending builds.

cloudbuild.builds.approve
cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build Service Account

roles/cloudbuild.builds.builder

Provides access to perform builds.

artifactregistry.aptartifacts.*
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.*
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
logging.logEntries.create
logging.logEntries.list
logging.privateLogEntries.*
logging.views.access
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Cloud Build Editor

roles/cloudbuild.builds.editor

Provides access to create and cancel builds.

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build Viewer

roles/cloudbuild.builds.viewer

Provides access to view builds.

cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build Integrations Editor

roles/cloudbuild.integrationsEditor

Can update Integrations

cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build Integrations Owner

roles/cloudbuild.integrationsOwner

Can create/delete Integrations

cloudbuild.integrations.*
compute.firewalls.create
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.networks.updatePolicy
compute.regions.get
compute.subnetworks.get
compute.subnetworks.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build Integrations Viewer

roles/cloudbuild.integrationsViewer

Can view Integrations

cloudbuild.integrations.get
cloudbuild.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build WorkerPool Editor

roles/cloudbuild.workerPoolEditor

Can update and view WorkerPools

cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build WorkerPool Owner

roles/cloudbuild.workerPoolOwner

Can create, delete, update, and view WorkerPools

cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Build WorkerPool User

roles/cloudbuild.workerPoolUser

Can run builds in the WorkerPool

cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer

roles/cloudbuild.workerPoolViewer

Can view WorkerPools

cloudbuild.workerpools.get
cloudbuild.workerpools.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Composer v2 API Service Agent Extension

roles/composer.ServiceAgentV2Ext

Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.

iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy

Composer Administrator

roles/composer.admin

Provides full control of Cloud Composer resources.

composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Environment and Storage Object Administrator

roles/composer.environmentAndStorageObjectAdmin

Provides full control of Cloud Composer resources and of the objects in all project buckets.

composer.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.multipartUploads.*
storage.objects.*

Environment User and Storage Object Viewer

roles/composer.environmentAndStorageObjectViewer

Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.

composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list

Composer Shared VPC Agent

roles/composer.sharedVpcAgent

Role that should be assigned to Composer Agent service account in Shared VPC host project

compute.networks.access
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zones.*

Composer User

roles/composer.user

Provides the permissions necessary to list and get Cloud Composer environments and operations.

composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Composer Worker

roles/composer.worker

Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.

artifactregistry.*
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
composer.environments.get
container.*
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
logging.logEntries.create
logging.logEntries.list
logging.privateLogEntries.*
logging.views.access
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.*
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.multipartUploads.*
storage.objects.*

Connector Admin

roles/connectors.admin

Full access to all resources of Connectors Service.

connectors.*
resourcemanager.projects.get
resourcemanager.projects.list

Connectors Viewer

roles/connectors.viewer

Read-only access to Connectors all resources.

connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connectors.*
connectors.locations.*
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.runtimeconfig.*
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion Admin

roles/datafusion.admin

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion Runner

roles/datafusion.runner

Access to Cloud Data Fusion runtime resources.

datafusion.instances.runtime

Cloud Data Fusion Viewer

roles/datafusion.viewer

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Data Labeling Service Admin

roles/datalabeling.admin

Full access to all Data Labeling resources

datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list

Data Labeling Service Editor

roles/datalabeling.editor

Editor of all Data Labeling resources

datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list

Data Labeling Service Viewer

roles/datalabeling.viewer

Viewer of all Data Labeling resources

datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Dataplex Administrator

roles/dataplex.admin

Full access to all Dataplex resources.

dataplex.assetActions.*
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.*
dataplex.entities.*
dataplex.environments.*
dataplex.lakeActions.*
dataplex.lakes.*
dataplex.locations.*
dataplex.operations.*
dataplex.partitions.*
dataplex.tasks.*
dataplex.zoneActions.*
dataplex.zones.*
resourcemanager.projects.get
resourcemanager.projects.list

Dataplex Data Owner

roles/dataplex.dataOwner

Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData

Dataplex Data Reader

roles/dataplex.dataReader

Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.readData

Dataplex Data Writer

roles/dataplex.dataWriter

Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.writeData

Dataplex Developer

roles/dataplex.developer

Allows running data analytics workloads in a lake.

dataplex.content.*
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.list
dataplex.tasks.update

Dataplex Editor

roles/dataplex.editor

Write access to Dataplex resources.

dataplex.assetActions.*
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.update
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.update
dataplex.lakeActions.*
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.update
dataplex.operations.*
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.update
dataplex.zoneActions.*
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.update

Dataplex Metadata Reader

roles/dataplex.metadataReader

Read only access to metadata.

dataplex.assets.get
dataplex.assets.list
dataplex.entities.get
dataplex.entities.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.zones.get
dataplex.zones.list

Dataplex Metadata Writer

roles/dataplex.metadataWriter

Read and write access to metadata.

dataplex.assets.get
dataplex.assets.list
dataplex.entities.*
dataplex.partitions.*
dataplex.zones.get
dataplex.zones.list

Dataplex Storage Data Owner

roles/dataplex.storageDataOwner

Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Dataplex Storage Data Reader

roles/dataplex.storageDataReader

Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list

Dataplex Storage Data Writer

roles/dataplex.storageDataWriter

Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.tables.updateData
storage.objects.create
storage.objects.delete
storage.objects.update

Dataplex Viewer

roles/dataplex.viewer

Read access to Dataplex resources.

dataplex.assetActions.*
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.lakeActions.*
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.*
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list

Cloud Debugger Agent

roles/clouddebugger.agent

Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.

clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create

Cloud Debugger User

roles/clouddebugger.user

Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list

Cloud Deploy Admin

roles/clouddeploy.admin

Full control of Cloud Deploy resources.

clouddeploy.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Deploy Approver

roles/clouddeploy.approver

Permission to approve or reject rollouts.

clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.rollouts.approve
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Deploy Developer

roles/clouddeploy.developer

Permission to manage deployment configuration without permission to access operational resources, such as targets.

clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Deploy Runner

roles/clouddeploy.jobRunner

Permission to execute Cloud Deploy work without permission to deliver to a target.

logging.logEntries.create
storage.objects.create
storage.objects.get
storage.objects.list

Cloud Deploy Operator

roles/clouddeploy.operator

Permission to manage deployment configuration.

clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.update
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Deploy Releaser

roles/clouddeploy.releaser

Permission to create Cloud Deploy releases and rollouts.

clouddeploy.deliveryPipelines.get
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Deploy Viewer

roles/clouddeploy.viewer

Can view Cloud Deploy resources.

clouddeploy.config.*
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.locations.*
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
resourcemanager.projects.get
resourcemanager.projects.list

DLP Administrator

roles/dlp.admin

Administer DLP including jobs and templates.

dlp.*
serviceusage.services.use

DLP Analyze Risk Templates Editor

roles/dlp.analyzeRiskTemplatesEditor

Edit DLP analyze risk templates.

dlp.analyzeRiskTemplates.*

DLP Analyze Risk Templates Reader

roles/dlp.analyzeRiskTemplatesReader

Read DLP analyze risk templates.

dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list

DLP Column Data Profiles Reader

roles/dlp.columnDataProfilesReader

Read DLP column profiles.

dlp.columnDataProfiles.*

DLP Data Profiles Reader

roles/dlp.dataProfilesReader

Read DLP profiles.

dlp.columnDataProfiles.*
dlp.projectDataProfiles.*
dlp.tableDataProfiles.*

DLP De-identify Templates Editor

roles/dlp.deidentifyTemplatesEditor

Edit DLP de-identify templates.

dlp.deidentifyTemplates.*

DLP De-identify Templates Reader

roles/dlp.deidentifyTemplatesReader

Read DLP de-identify templates.

dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list

DLP Cost Estimation

roles/dlp.estimatesAdmin

Manage DLP Cost Estimates.

dlp.estimates.*

DLP Inspect Findings Reader

roles/dlp.inspectFindingsReader

Read DLP stored findings.

dlp.inspectFindings.*

DLP Inspect Templates Editor

roles/dlp.inspectTemplatesEditor

Edit DLP inspect templates.

dlp.inspectTemplates.*

DLP Inspect Templates Reader

roles/dlp.inspectTemplatesReader

Read DLP inspect templates.

dlp.inspectTemplates.get
dlp.inspectTemplates.list

DLP Job Triggers Editor

roles/dlp.jobTriggersEditor

Edit job triggers configurations.

dlp.jobTriggers.*

DLP Job Triggers Reader

roles/dlp.jobTriggersReader

Read job triggers.

dlp.jobTriggers.get
dlp.jobTriggers.list

DLP Jobs Editor

roles/dlp.jobsEditor

Edit and create jobs

dlp.jobs.*
dlp.kms.*

DLP Jobs Reader

roles/dlp.jobsReader

Read jobs

dlp.jobs.get
dlp.jobs.list

DLP Organization Data Profiles Driver

roles/dlp.orgdriver

Permissions needed by the DLP service account to generate data profiles within an organization or folder.

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.translation.*
cloudasset.assets.*
datacatalog.categories.fineGrainedGet
datacatalog.entries.updateTag
datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
dlp.*
pubsub.topics.updateTag
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use

DLP Project Data Profiles Reader

roles/dlp.projectDataProfilesReader

Read DLP project profiles.

dlp.projectDataProfiles.*

DLP Project Data Profiles Driver

roles/dlp.projectdriver

Permissions needed by the DLP service account to generate data profiles within a project.

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.translation.*
cloudasset.assets.*
datacatalog.categories.fineGrainedGet
datacatalog.entries.updateTag
datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
dlp.*
pubsub.topics.updateTag
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use

DLP Reader

roles/dlp.reader

Read DLP entities, such as jobs and templates.

dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectFindings.*
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.locations.*
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list

DLP Stored InfoTypes Editor

roles/dlp.storedInfoTypesEditor

Edit DLP stored info types.

dlp.storedInfoTypes.*

DLP Stored InfoTypes Reader

roles/dlp.storedInfoTypesReader

Read DLP stored info types.

dlp.storedInfoTypes.get
dlp.storedInfoTypes.list

DLP Table Data Profiles Reader

roles/dlp.tableDataProfilesReader

Read DLP table profiles.

dlp.tableDataProfiles.*

DLP User

roles/dlp.user

Inspect, Redact, and De-identify Content

dlp.kms.*
dlp.locations.*
serviceusage.services.use

Cloud Domains Admin

roles/domains.admin

Full access to Cloud Domains Registrations and related resources.

domains.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Domains Viewer

roles/domains.viewer

Read-only access to Cloud Domains Registrations and related resources.

domains.locations.*
domains.operations.get
domains.operations.list
domains.registrations.get
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Filestore Editor

roles/file.editor

Read-write access to Filestore instances and related resources.

file.*

Cloud Filestore Viewer

roles/file.viewer

Read-only access to Filestore instances and related resources.

file.backups.get
file.backups.list
file.backups.listTagBindings
file.instances.get
file.instances.list
file.instances.listTagBindings
file.locations.*
file.operations.get
file.operations.list
file.snapshots.listTagBindings

Cloud Functions Admin

roles/cloudfunctions.admin

Full access to functions, operations and locations.

cloudbuild.builds.get
cloudbuild.builds.list
cloudfunctions.*
eventarc.*
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud Functions Developer

roles/cloudfunctions.developer

Read and write access to all functions-related resources.

cloudbuild.builds.get
cloudbuild.builds.list
cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudfunctions.runtimes.*
eventarc.locations.*
eventarc.operations.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud Functions Invoker

roles/cloudfunctions.invoker

Ability to invoke HTTP functions with restricted access.

cloudfunctions.functions.invoke

Cloud Functions Viewer

roles/cloudfunctions.viewer

Read-only access to functions and locations.

cloudbuild.builds.get
cloudbuild.builds.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudfunctions.runtimes.*
eventarc.locations.*
eventarc.operations.get
eventarc.operations.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Game Services API Admin

roles/gameservices.admin

Full access to Game Services API and related resources.

gameservices.*
resourcemanager.projects.get
resourcemanager.projects.list

Game Services API Viewer

roles/gameservices.viewer

Read-only access to Game Services API and related resources.

gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.locations.*
gameservices.operations.get
gameservices.operations.list
gameservices.realms.get
gameservices.realms.list
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Annotation Editor

roles/healthcare.annotationEditor

Create, delete, update, read and list annotations.

healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.annotations.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Annotation Reader

roles/healthcare.annotationReader

Read and list annotations in an Annotation store.

healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.annotations.get
healthcare.annotations.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Annotation Administrator

roles/healthcare.annotationStoreAdmin

Administer Annotation stores.

healthcare.annotationStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Annotation Store Viewer

roles/healthcare.annotationStoreViewer

List Annotation Stores in a dataset.

healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Attribute Definition Editor

roles/healthcare.attributeDefinitionEditor

Edit AttributeDefinition objects.

healthcare.attributeDefinitions.*
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Attribute Definition Reader

roles/healthcare.attributeDefinitionReader

Read AttributeDefinition objects in a consent store.

healthcare.attributeDefinitions.get
healthcare.attributeDefinitions.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Consent Artifact Administrator

roles/healthcare.consentArtifactAdmin

Administer ConsentArtifact objects.

healthcare.consentArtifacts.*
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Consent Artifact Editor

roles/healthcare.consentArtifactEditor

Edit ConsentArtifact objects.

healthcare.consentArtifacts.create
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Consent Artifact Reader

roles/healthcare.consentArtifactReader

Read ConsentArtifact objects in a consent store.

healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Consent Editor

roles/healthcare.consentEditor

Edit Consent objects.

healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consents.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Consent Reader

roles/healthcare.consentReader

Read Consent objects in a consent store.

healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consents.get
healthcare.consents.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Consent Store Administrator

roles/healthcare.consentStoreAdmin

Administer Consent stores.

healthcare.consentStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Consent Store Viewer

roles/healthcare.consentStoreViewer

List Consent Stores in a dataset.

healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Dataset Administrator

roles/healthcare.datasetAdmin

Administer Healthcare Datasets.

healthcare.datasets.*
healthcare.locations.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Dataset Viewer

roles/healthcare.datasetViewer

List the Healthcare Datasets in a project.

healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare DICOM Editor

roles/healthcare.dicomEditor

Edit DICOM images individually and in bulk.

healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.dicomWebWrite
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare DICOM Store Administrator

roles/healthcare.dicomStoreAdmin

Administer DICOM stores.

healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.dicomStores.deidentify
healthcare.dicomStores.delete
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.get
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.dicomStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare DICOM Store Viewer

roles/healthcare.dicomStoreViewer

List DICOM Stores in a dataset.

healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare DICOM Viewer

roles/healthcare.dicomViewer

Retrieve DICOM images from a DICOM store.

healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare FHIR Resource Editor

roles/healthcare.fhirResourceEditor

Create, delete, update, read and search FHIR resources.

healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.create
healthcare.fhirResources.delete
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.fhirResources.translateConceptMap
healthcare.fhirResources.update
healthcare.fhirStores.executeBundle
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare FHIR Resource Reader

roles/healthcare.fhirResourceReader

Read and search FHIR resources.

healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.fhirResources.translateConceptMap
healthcare.fhirStores.executeBundle
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare FHIR Store Administrator

roles/healthcare.fhirStoreAdmin

Administer FHIR resource stores.

healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.fhirStores.configureSearch
healthcare.fhirStores.create
healthcare.fhirStores.deidentify
healthcare.fhirStores.delete
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.fhirStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare FHIR Store Viewer

roles/healthcare.fhirStoreViewer

List FHIR Stores in a dataset.

healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare HL7v2 Message Consumer

roles/healthcare.hl7V2Consumer

List and read HL7v2 messages, update message labels, and publish new messages.

healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.create
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.hl7V2Messages.update
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare HL7v2 Message Editor

roles/healthcare.hl7V2Editor

Read, write, and delete access to HL7v2 messages.

healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare HL7v2 Message Ingest

roles/healthcare.hl7V2Ingest

Ingest HL7v2 messages received from a source network.

healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.ingest
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare HL7v2 Store Administrator

roles/healthcare.hl7V2StoreAdmin

Administer HL7v2 Stores.

healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare HL7v2 Store Viewer

roles/healthcare.hl7V2StoreViewer

View HL7v2 Stores in a dataset.

healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare NLP Service Viewer

roles/healthcare.nlpServiceViewer

Extract and analyze medical entities from a given text.

healthcare.locations.*
healthcare.nlpservice.*
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare User Data Mapping Editor

roles/healthcare.userDataMappingEditor

Edit UserDataMapping objects.

healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.userDataMappings.*
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare User Data Mapping Reader

roles/healthcare.userDataMappingReader

Read UserDataMapping objects in a consent store.

healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.userDataMappings.get
healthcare.userDataMappings.list
resourcemanager.projects.get
resourcemanager.projects.list

IAP Policy Admin

roles/iap.admin

Provides full access to Identity-Aware Proxy resources.

iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy

IAP-secured Web App User

roles/iap.httpsResourceAccessor

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

iap.webServiceVersions.accessViaIAP

IAP Settings Admin

roles/iap.settingsAdmin

Administrator of IAP Settings.

iap.projects.*
iap.web.getSettings
iap.web.updateSettings
iap.webServiceVersions.getSettings
iap.webServiceVersions.updateSettings
iap.webServices.getSettings
iap.webServices.updateSettings
iap.webTypes.getSettings
iap.webTypes.updateSettings

IAP-secured Tunnel User

roles/iap.tunnelResourceAccessor

Access Tunnel resources which use Identity-Aware Proxy

iap.tunnelInstances.accessViaIAP

Cloud IDS Admin

roles/ids.admin

Full access to Cloud IDS all resources.

ids.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud IDS Viewer

roles/ids.viewer

Read-only access to Cloud IDS all resources.

ids.endpoints.get
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.*
ids.operations.get
ids.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud IoT Admin

roles/cloudiot.admin

Full control of all Cloud IoT resources and permissions.

cloudiot.*
cloudiottoken.*

Cloud IoT Device Controller

roles/cloudiot.deviceController

Access to update the device configuration, but not to create or delete devices.

cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.updateConfig
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get

Cloud IoT Editor

roles/cloudiot.editor

Read-write access to all Cloud IoT resources.

cloudiot.devices.*
cloudiot.registries.create
cloudiot.registries.delete
cloudiot.registries.get
cloudiot.registries.list
cloudiot.registries.update
cloudiottoken.*

Cloud IoT Provisioner

roles/cloudiot.provisioner

Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.

cloudiot.devices.*
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get

Cloud IoT Viewer

roles/cloudiot.viewer

Read-only access to all Cloud IoT resources.

cloudiot.devices.get
cloudiot.devices.list
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get

Cloud KMS Admin

roles/cloudkms.admin

Provides full access to Cloud KMS resources, except encrypt and decrypt operations.

cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
cloudkms.cryptoKeys.*
cloudkms.ekmConnections.*
cloudkms.importJobs.*
cloudkms.keyRings.*
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter

roles/cloudkms.cryptoKeyDecrypter

Provides ability to use Cloud KMS resources for decrypt operations only.

cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter Via Delegation

roles/cloudkms.cryptoKeyDecrypterViaDelegation

Enables Decrypt operations via other GCP services

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter

roles/cloudkms.cryptoKeyEncrypter

Provides ability to use Cloud KMS resources for encrypt operations only.

cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter

roles/cloudkms.cryptoKeyEncrypterDecrypter

Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.

cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation

roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation

Enables Encrypt and Decrypt operations via other GCP services

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter Via Delegation

roles/cloudkms.cryptoKeyEncrypterViaDelegation

Enables Encrypt operations via other GCP services

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud KMS Crypto Operator

roles/cloudkms.cryptoOperator

Enables all Crypto Operations.

cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.useToVerify
cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.locations.*
resourcemanager.projects.get

Cloud KMS Expert Raw PKCS#1 Key Manager

roles/cloudkms.expertRawPKCS1

Enables raw PKCS#1 keys management.

cloudkms.cryptoKeyVersions.manageRawPKCS1Keys
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud KMS Importer

roles/cloudkms.importer

Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations

cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.importJobs.useToImport
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Public Key Viewer

roles/cloudkms.publicKeyViewer

Enables GetPublicKey operations

cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Signer

roles/cloudkms.signer

Enables Sign operations

cloudkms.cryptoKeyVersions.useToSign
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Signer/Verifier

roles/cloudkms.signerVerifier

Enables Sign, Verify, and GetPublicKey operations

cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.useToVerify
cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS CryptoKey Verifier

roles/cloudkms.verifier

Enables Verify and GetPublicKey operations

cloudkms.cryptoKeyVersions.useToVerify
cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud KMS Viewer

roles/cloudkms.viewer

Enables Get and List operations.

cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.ekmConnections.get
cloudkms.ekmConnections.list
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.keyRings.get
cloudkms.keyRings.list
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get

Cloud Life Sciences Admin

roles/lifesciences.admin

Full control of Cloud Life Sciences resources.

lifesciences.*

Cloud Life Sciences Editor

roles/lifesciences.editor

Access to read and edit Cloud Life Sciences resources.

lifesciences.*

Cloud Life Sciences Viewer

roles/lifesciences.viewer

Access to read Cloud Life Sciences resources.

lifesciences.operations.get
lifesciences.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Life Sciences Workflows Runner

roles/lifesciences.workflowsRunner

Full access to operate on Cloud Life Sciences workflows.

lifesciences.*

Google Cloud Managed Identities Admin

roles/managedidentities.admin

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.

managedidentities.*
resourcemanager.projects.get
resourcemanager.projects.list

Google Cloud Managed Identities Backup Admin

roles/managedidentities.backupAdmin

Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level

managedidentities.backups.*
managedidentities.domains.get
managedidentities.locations.*
managedidentities.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Google Cloud Managed Identities Backup Viewer

roles/managedidentities.backupViewer

Read-only access to Google Cloud Managed Identities Backup and related resources.

managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.domains.get
managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Google Cloud Managed Identities Domain Admin

roles/managedidentities.domainAdmin

Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.

managedidentities.backups.*
managedidentities.domains.attachTrust
managedidentities.domains.createTagBinding
managedidentities.domains.delete
managedidentities.domains.deleteTagBinding
managedidentities.domains.detachTrust
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.listTagBindings
managedidentities.domains.reconfigureTrust
managedidentities.domains.resetpassword
managedidentities.domains.restore
managedidentities.domains.update
managedidentities.domains.updateLDAPSSettings
managedidentities.domains.validateTrust
managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
managedidentities.sqlintegrations.*
resourcemanager.projects.get
resourcemanager.projects.list

Google Cloud Managed Identities Domain Controller Operator

roles/managedidentities.domaincontrollerOperator

Operator access for Managed AD Domain Controllers

pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list

Google Cloud Managed Identities Peering Admin

roles/managedidentities.peeringAdmin

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level

managedidentities.locations.*
managedidentities.operations.*
managedidentities.peerings.*
resourcemanager.projects.get
resourcemanager.projects.list

Google Cloud Managed Identities Peering Viewer

roles/managedidentities.peeringViewer

Read-only access to Google Cloud Managed Identities Peering and related resources.

managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
resourcemanager.projects.get
resourcemanager.projects.list

Google Cloud Managed Identities Viewer

roles/managedidentities.viewer

Read-only access to Google Cloud Managed Identities Domains and related resources.

managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.domains.listTagBindings
managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.sqlintegrations.*
resourcemanager.projects.get
resourcemanager.projects.list

Commerce Offer Catalog Offers Viewer

roles/commerceoffercatalog.offersViewer

Allows viewing offers

commerceoffercatalog.*

Commerce Price Management Private Offers Admin

roles/commercepricemanagement.privateOffersAdmin

Allows managing private offers

commerceprice.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Commerce Price Management Viewer

roles/commercepricemanagement.viewer

Allows viewing offers, free trials, skus

commerceprice.privateoffers.get
commerceprice.privateoffers.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Consumer Procurement Entitlement Manager

roles/consumerprocurement.entitlementManager

Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.

consumerprocurement.entitlements.*
consumerprocurement.freeTrials.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list

Consumer Procurement Entitlement Viewer

roles/consumerprocurement.entitlementViewer

Allows inspecting entitlements and service states for a consumer project.

consumerprocurement.entitlements.*
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Consumer Procurement Order Administrator

roles/consumerprocurement.orderAdmin

Allows managing purchases.

commerceoffercatalog.*
consumerprocurement.accounts.*
consumerprocurement.orderAttributions.*
consumerprocurement.orders.*

Consumer Procurement Order Viewer

roles/consumerprocurement.orderViewer

Allows inspecting purchases.

commerceoffercatalog.*
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orders.get
consumerprocurement.orders.list

Velostrata Manager

roles/cloudmigration.inframanager

Ability to create and manage Compute VMs to run Velostrata Infrastructure

cloudmigration.*
compute.addresses.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.reset
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.update
compute.instances.updateNetworkInterface
compute.instances.updateShieldedInstanceConfig
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.*
gkehub.endpoints.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update

Velostrata Storage Access

roles/cloudmigration.storageaccess

Ability to access migration storage

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Velostrata Manager Connection Agent

roles/cloudmigration.velostrataconnect

Ability to set up connection between Velostrata Manager and Google

cloudmigration.*
gkehub.endpoints.*

VM Migration Administrator

roles/vmmigration.admin

Ability to view and edit all VM Migration objects

vmmigration.*

VM Migration Viewer

roles/vmmigration.viewer

Ability to view all VM Migration objects

vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.deployments.get
vmmigration.deployments.list
vmmigration.groups.get
vmmigration.groups.list
vmmigration.locations.*
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.operations.get
vmmigration.operations.list
vmmigration.sources.get
vmmigration.sources.list
vmmigration.targets.get
vmmigration.targets.list
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list

Catalog Consumer

roles/cloudprivatecatalog.consumer

Can browse catalogs in the target resource context.

cloudprivatecatalog.*
resourcemanager.projects.get
resourcemanager.projects.list

Catalog Admin

roles/cloudprivatecatalogproducer.admin

Can manage catalog and view its associations.

cloudprivatecatalog.*
cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogAssociations.*
cloudprivatecatalogproducer.catalogs.*
cloudprivatecatalogproducer.producerCatalogs.*
cloudprivatecatalogproducer.products.*
cloudprivatecatalogproducer.targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Catalog Manager

roles/cloudprivatecatalogproducer.manager

Can manage associations between a catalog and a target resource.

cloudprivatecatalog.*
cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogAssociations.*
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.producerCatalogs.get
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Catalog Org Admin

roles/cloudprivatecatalogproducer.orgAdmin

Can manage catalog org settings.

cloudprivatecatalog.*
cloudprivatecatalogproducer.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Profiler Agent

roles/cloudprofiler.agent

Cloud Profiler agents are allowed to register and provide the profiling data.

cloudprofiler.profiles.create
cloudprofiler.profiles.update

Cloud Profiler User

roles/cloudprofiler.user

Cloud Profiler users are allowed to query and view the profiling data.

cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud Run Admin

roles/run.admin

Full control over all Cloud Run resources.

recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
run.*

Cloud Run Developer

roles/run.developer

Read and write access to all Cloud Run resources.

recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update

Cloud Run Invoker

roles/run.invoker

Can invoke a Cloud Run service.

run.routes.invoke

Cloud Run Viewer

roles/run.viewer

Can view the state of all Cloud Run resources, including IAM policies.

recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings

Cloud Scheduler Admin

roles/cloudscheduler.admin

Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.

appengine.applications.get
cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Cloud Scheduler Job Runner

roles/cloudscheduler.jobRunner

Access to run jobs.

appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Cloud Scheduler Viewer

roles/cloudscheduler.viewer

Get and list access to jobs, executions, and locations.

appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Web Security Scanner Editor

roles/cloudsecurityscanner.editor

Full access to all Web Security Scanner resources

appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Web Security Scanner Runner

roles/cloudsecurityscanner.runner

Read access to Scan and ScanRun, plus the ability to start scans

cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run

Web Security Scanner Viewer

roles/cloudsecurityscanner.viewer

Read access to all Web Security Scanner resources

cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Service Broker Admin

roles/servicebroker.admin

Full access to ServiceBroker resources.

servicebroker.*

Service Broker Operator

roles/servicebroker.operator

Operational access to the ServiceBroker resources.

servicebroker.bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update

Cloud Spanner Admin

roles/spanner.admin

Has complete access to all Cloud Spanner resources in a Google Cloud project. A principal with this role can: Grant and revoke permissions to other principals for all Cloud Spanner resources in the project. Allocate and delete chargeable Cloud Spanner resources. Issue get/list/modify operations on Cloud Spanner resources. Read from and write to all Cloud Spanner databases in the project. Fetch project metadata.

monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*

Cloud Spanner Backup Admin

roles/spanner.backupAdmin

A principal with this role can: Create, view, update, and delete backups. View and manage a backup's IAM policy. This role cannot restore a database from a backup.

monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backupOperations.*
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instances.get
spanner.instances.list

Cloud Spanner Backup Writer

roles/spanner.backupWriter

This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them.

spanner.backupOperations.get
spanner.backupOperations.list
spanner.backups.create
spanner.backups.get
spanner.backups.list
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instances.get

Cloud Spanner Database Admin

roles/spanner.databaseAdmin

A principal with this role can: Get/list all Cloud Spanner instances in the project. Create/list/drop databases in an instance. Grant/revoke access to databases in the project. Read from and write to all Cloud Spanner databases in the project.

monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginPartitionedDmlTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.create
spanner.databases.drop
spanner.databases.get
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.setIamPolicy
spanner.databases.update
spanner.databases.updateDdl
spanner.databases.write
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.*

Cloud Spanner Database Reader

roles/spanner.databaseReader

A principal with this role can: Read from the Cloud Spanner database. Execute SQL queries on the database. View schema for the database.

spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.instances.get
spanner.sessions.*

Cloud Spanner Database User

roles/spanner.databaseUser

A principal with this role can: Read from and write to the Cloud Spanner database. Execute SQL queries on the database, including DML and Partitioned DML. View and update schema for the database.

spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginPartitionedDmlTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.instances.get
spanner.sessions.*

Cloud Spanner Restore Admin

roles/spanner.restoreAdmin

A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.

monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backups.get
spanner.backups.list
spanner.backups.restoreDatabase
spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list
spanner.databases.create
spanner.databases.get
spanner.databases.list
spanner.instances.get
spanner.instances.list

Cloud Spanner Viewer

roles/spanner.viewer

A principal with this role can: View all Cloud Spanner instances (but cannot modify instances). View all Cloud Spanner databases (but cannot modify or read from databases). For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases. This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud Console.

monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list

Cloud SQL Admin

roles/cloudsql.admin

Provides full control of Cloud SQL resources.

cloudsql.*
recommender.cloudsqlIdleInstanceRecommendations.*
recommender.cloudsqlInstanceActivityInsights.*
recommender.cloudsqlInstanceCpuUsageInsights.*
recommender.cloudsqlInstanceDiskUsageTrendInsights.*
recommender.cloudsqlInstanceMemoryUsageInsights.*
recommender.cloudsqlInstanceOutOfDiskRecommendations.*
recommender.cloudsqlOverprovisionedInstanceRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud SQL Client

roles/cloudsql.client

Provides connectivity access to Cloud SQL instances.

cloudsql.instances.connect
cloudsql.instances.get

Cloud SQL Editor

roles/cloudsql.editor

Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.

cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.listTagBindings
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
recommender.cloudsqlIdleInstanceRecommendations.*
recommender.cloudsqlInstanceActivityInsights.*
recommender.cloudsqlInstanceCpuUsageInsights.*
recommender.cloudsqlInstanceDiskUsageTrendInsights.*
recommender.cloudsqlInstanceMemoryUsageInsights.*
recommender.cloudsqlInstanceOutOfDiskRecommendations.*
recommender.cloudsqlOverprovisionedInstanceRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud SQL Instance User

roles/cloudsql.instanceUser

Role allowing access to a Cloud SQL instance

cloudsql.instances.get
cloudsql.instances.login

Cloud SQL Viewer

roles/cloudsql.viewer

Provides read-only access to Cloud SQL resources.

cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.listTagBindings
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Storage Admin

roles/storage.admin

Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Storage HMAC Key Admin

roles/storage.hmacKeyAdmin

Full control of Cloud Storage HMAC keys.

firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*

Storage Object Admin

roles/storage.objectAdmin

Grants full control of objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.multipartUploads.*
storage.objects.*

Storage Object Creator

roles/storage.objectCreator

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.listParts
storage.objects.create

Storage Object Viewer

roles/storage.objectViewer

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

Storage Transfer Admin

roles/storagetransfer.admin

Create, update and manage transfer jobs and operations.

resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*

Storage Transfer Agent

roles/storagetransfer.transferAgent

Perform transfers from an agent.

pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.get
storagetransfer.operations.report

Storage Transfer User

roles/storagetransfer.user

Create and update storage transfer jobs and operations.

resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.agentpools.create
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.agentpools.report
storagetransfer.agentpools.update
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.run
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.projects.*

Storage Transfer Viewer

roles/storagetransfer.viewer

Read access to storage transfer jobs and operations.

resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.projects.*

Storage Legacy Bucket Owner

roles/storage.legacyBucketOwner

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read and edit bucket metadata, including IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.listTagBindings
storage.buckets.setIamPolicy
storage.buckets.update
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list

Storage Legacy Bucket Reader

roles/storage.legacyBucketReader

Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata, excluding IAM policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

storage.buckets.get
storage.multipartUploads.list
storage.objects.list

Storage Legacy Bucket Writer

roles/storage.legacyBucketWriter

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read bucket metadata, excluding IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

storage.buckets.get
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list

Storage Legacy Object Owner

roles/storage.legacyObjectOwner

Grants permission to view and edit objects and their metadata, including ACLs.

storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update

Storage Legacy Object Reader

roles/storage.legacyObjectReader

Grants permission to view objects and their metadata, excluding ACLs.

storage.objects.get

Admin

roles/cloudjobdiscovery.admin

Access to Cloud Talent Solution Self-Service Tools.

cloudjobdiscovery.tools.*
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Job Editor

roles/cloudjobdiscovery.jobsEditor

Write access to all job data in Cloud Talent Solution.

cloudjobdiscovery.companies.*
cloudjobdiscovery.events.*
cloudjobdiscovery.jobs.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list

Job Viewer

roles/cloudjobdiscovery.jobsViewer

Read access to all job data in Cloud Talent Solution.

cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list

Profile Editor

roles/cloudjobdiscovery.profilesEditor

Write access to all profile data in Cloud Talent Solution.

cloudjobdiscovery.events.*
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list

Profile Viewer

roles/cloudjobdiscovery.profilesViewer

Read access to all profile data in Cloud Talent Solution.

cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Tasks Admin

roles/cloudtasks.admin

Full access to queues and tasks.

cloudtasks.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Tasks Enqueuer

roles/cloudtasks.enqueuer

Access to create tasks.

cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Tasks Queue Admin

roles/cloudtasks.queueAdmin

Admin access to queues.

cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Tasks Task Deleter

roles/cloudtasks.taskDeleter

Access to delete tasks.

cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Tasks Task Runner

roles/cloudtasks.taskRunner

Access to run tasks.

cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Tasks Viewer

roles/cloudtasks.viewer

Get and list access to tasks, queues, and locations.

cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list

TPU Admin

roles/tpu.admin

Full access to TPU nodes and related resources.

resourcemanager.projects.get
resourcemanager.projects.list
tpu.*

TPU Viewer

roles/tpu.viewer

Read-only access to TPU nodes and related resources.

resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.tensorflowversions.*

TPU Shared VPC Agent

roles/tpu.xpnAgent

Can use shared VPC network (XPN) for the TPU VMs.

compute.addresses.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.globalOperations.get
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get

Cloud Trace Admin

roles/cloudtrace.admin

Provides full access to the Trace console and read-write access to traces.

cloudtrace.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Trace Agent

roles/cloudtrace.agent

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

cloudtrace.traces.patch

Cloud Trace User

roles/cloudtrace.user

Provides full access to the Trace console and read access to traces.

cloudtrace.insights.*
cloudtrace.stats.*
cloudtrace.tasks.*
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Translation API Admin

roles/cloudtranslate.admin

Full access to all Cloud Translation resources

automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Translation API Editor

roles/cloudtranslate.editor

Editor of all Cloud Translation resources

automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Translation API User

roles/cloudtranslate.user

User of Cloud Translation and AutoML models

automl.models.get
automl.models.predict
cloudtranslate.generalModels.*
cloudtranslate.glossaries.batchDocPredict
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.docPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.languageDetectionModels.*
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Translation API Viewer

roles/cloudtranslate.viewer

Viewer of all Translation resources

automl.models.get
cloudtranslate.generalModels.get
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

Compute Admin

roles/compute.admin

Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Image User

roles/compute.imageUser

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Instance Admin (beta)

roles/compute.instanceAdmin

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionNetworkEndpointGroups.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Instance Admin (v1)

roles/compute.instanceAdmin.v1

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.

compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Load Balancer Admin

roles/compute.loadBalancerAdmin

Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

certificatemanager.certmaps.get
certificatemanager.certmaps.list
certificatemanager.certmaps.use
compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.disks.listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.listTagBindings
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.use
compute.instances.useReadOnly
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.*
compute.regionSslCertificates.*
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.snapshots.listTagBindings
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Load Balancer Services User

roles/compute.loadBalancerServiceUser

Permissions to use services from a load balancer in other projects.

compute.backendServices.get
compute.backendServices.list
compute.backendServices.use
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network Admin

roles/compute.networkAdmin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group. Or, if you have a combined team that manages both security and networking, then grant this role as well as the roles/compute.securityAdmin role to the combined team's group.

compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.disks.listTagBindings
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.updateSecurity
compute.instances.use
compute.instances.useReadOnly
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.machineTypes.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
networkconnectivity.locations.*
networkconnectivity.operations.*
networksecurity.*
networkservices.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*

Compute Network User

roles/compute.networkUser

Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.access
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
networkconnectivity.locations.*
networkconnectivity.operations.get
networkconnectivity.operations.list
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.locations.*
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.use
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.endpointPolicies.use
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.use
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.grpcRoutes.use
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.use
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpRoutes.use
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.httpfilters.use
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.use
networkservices.operations.get
networkservices.operations.list
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tcpRoutes.use
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network Viewer

roles/compute.networkViewer

Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.machineTypes.*
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
networkconnectivity.locations.*
networkconnectivity.operations.get
networkconnectivity.operations.list
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.locations.*
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.gateways.get
networkservices.gateways.list
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.operations.get
networkservices.operations.list
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*

Compute Organization Firewall Policy Admin

roles/compute.orgFirewallPolicyAdmin

Full control of Compute Engine Organization Firewall Policies.

compute.firewallPolicies.cloneRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.regionFirewallPolicies.*
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Organization Firewall Policy User

roles/compute.orgFirewallPolicyUser

View or use Compute Engine Firewall Policies to associate with the organization or folders.

compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.projects.get
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.use
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Organization Security Policy Admin

roles/compute.orgSecurityPolicyAdmin

Full control of Compute Engine Organization Security Policies.

compute.firewallPolicies.*
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Organization Security Policy User

roles/compute.orgSecurityPolicyUser

View or use Compute Engine Security Policies to associate with the organization or folders.

compute.firewallPolicies.addAssociation
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.addAssociation
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.removeAssociation
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Organization Resource Admin

roles/compute.orgSecurityResourceAdmin

Full control of Compute Engine Firewall Policy associations to the organization or folders.

compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.organizations.listAssociations
compute.organizations.setFirewallPolicy
compute.organizations.setSecurityPolicy
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute OS Admin Login

roles/compute.osAdminLogin

Access to log in to a Compute Engine instance as an administrator user.

compute.disks.listTagBindings
compute.images.listTagBindings
compute.instances.get
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
compute.snapshots.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute OS Login

roles/compute.osLogin

Access to log in to a Compute Engine instance as a standard user.

compute.disks.listTagBindings
compute.images.listTagBindings
compute.instances.get
compute.instances.list
compute.instances.osLogin
compute.projects.get
compute.snapshots.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute OS Login External User

roles/compute.osLoginExternalUser

Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

compute.oslogin.*

Compute packet mirroring admin

roles/compute.packetMirroringAdmin

Specify resources to be mirrored.

compute.instances.updateSecurity
compute.networks.mirror
compute.projects.get
compute.subnetworks.mirror
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute packet mirroring user

roles/compute.packetMirroringUser

Use Compute Engine packet mirrorings.

compute.packetMirrorings.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Public IP Admin

roles/compute.publicIpAdmin

Full control of public IP address management for Compute Engine.

compute.addresses.*
compute.globalAddresses.*
compute.globalPublicDelegatedPrefixes.*
compute.publicAdvertisedPrefixes.*
compute.publicDelegatedPrefixes.*
resourcemanager.projects.get
resourcemanager.projects.list

Compute Security Admin

roles/compute.securityAdmin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.

compute.firewallPolicies.*
compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.getEffectiveFirewalls
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute.regionFirewallPolicies.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.*
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Sole Tenant Viewer

roles/compute.soleTenantViewer

Permissions to view sole tenancy node groups

compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*

Compute Storage Admin

roles/compute.storageAdmin

Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Viewer

roles/compute.viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Shared VPC Admin

roles/compute.xpnAdmin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin. Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

compute.globalOperations.get
compute.globalOperations.list
compute.organizations.administerXpn
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.projects.get
compute.subnetworks.getIamPolicy
compute.subnetworks.setIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

GuestPolicy Admin

roles/osconfig.guestPolicyAdmin

Full admin access to GuestPolicies

osconfig.guestPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list

GuestPolicy Editor

roles/osconfig.guestPolicyEditor

Editor of GuestPolicy resources

osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.guestPolicies.update
resourcemanager.projects.get
resourcemanager.projects.list

GuestPolicy Viewer

roles/osconfig.guestPolicyViewer

Viewer of GuestPolicy resources

osconfig.guestPolicies.get
osconfig.guestPolicies.list
resourcemanager.projects.get
resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer

roles/osconfig.instanceOSPoliciesComplianceViewer

Viewer of OS Policies Compliance of VM instances

osconfig.instanceOSPoliciesCompliances.*
resourcemanager.projects.get
resourcemanager.projects.list

OS Inventory Viewer

roles/osconfig.inventoryViewer

Viewer of OS Inventories

osconfig.inventories.*
resourcemanager.projects.get
resourcemanager.projects.list

OSPolicyAssignment Admin

roles/osconfig.osPolicyAssignmentAdmin

Full admin access to OS Policy Assignments

osconfig.osPolicyAssignments.*
resourcemanager.projects.get
resourcemanager.projects.list

OSPolicyAssignment Editor

roles/osconfig.osPolicyAssignmentEditor

Editor of OS Policy Assignments

osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update
resourcemanager.projects.get
resourcemanager.projects.list

OSPolicyAssignmentReport Viewer

roles/osconfig.osPolicyAssignmentReportViewer

Viewer of OS policy assignment reports for VM instances

osconfig.osPolicyAssignmentReports.*
resourcemanager.projects.get
resourcemanager.projects.list

OSPolicyAssignment Viewer

roles/osconfig.osPolicyAssignmentViewer

Viewer of OS Policy Assignments

osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
resourcemanager.projects.get
resourcemanager.projects.list

PatchDeployment Admin

roles/osconfig.patchDeploymentAdmin

Full admin access to PatchDeployments

osconfig.patchDeployments.*
resourcemanager.projects.get
resourcemanager.projects.list

PatchDeployment Viewer

roles/osconfig.patchDeploymentViewer

Viewer of PatchDeployment resources

osconfig.patchDeployments.get
osconfig.patchDeployments.list
resourcemanager.projects.get
resourcemanager.projects.list

Patch Job Executor

roles/osconfig.patchJobExecutor

Access to execute Patch Jobs.

osconfig.patchJobs.*
resourcemanager.projects.get
resourcemanager.projects.list

Patch Job Viewer

roles/osconfig.patchJobViewer

Get and list Patch Jobs.

osconfig.patchJobs.get
osconfig.patchJobs.list
resourcemanager.projects.get
resourcemanager.projects.list

OS VulnerabilityReport Viewer

roles/osconfig.vulnerabilityReportViewer

Viewer of OS VulnerabilityReports

osconfig.vulnerabilityReports.*
resourcemanager.projects.get
resourcemanager.projects.list

Container Analysis Admin

roles/containeranalysis.admin

Access to all Container Analysis resources.

containeranalysis.notes.attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.getIamPolicy
containeranalysis.notes.list
containeranalysis.notes.setIamPolicy
containeranalysis.notes.update
containeranalysis.occurrences.*
resourcemanager.projects.get
resourcemanager.projects.list

Container Analysis Notes Attacher

roles/containeranalysis.notes.attacher

Can attach Container Analysis Occurrences to Notes.

containeranalysis.notes.attachOccurrence
containeranalysis.notes.get

Container Analysis Notes Editor

roles/containeranalysis.notes.editor

Can edit Container Analysis Notes.

containeranalysis.notes.attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
resourcemanager.projects.get
resourcemanager.projects.list

Container Analysis Occurrences for Notes Viewer

roles/containeranalysis.notes.occurrences.viewer

Can view all Container Analysis Occurrences attached to a Note.

containeranalysis.notes.get
containeranalysis.notes.listOccurrences

Container Analysis Notes Viewer

roles/containeranalysis.notes.viewer

Can view Container Analysis Notes.

containeranalysis.notes.get
containeranalysis.notes.list
resourcemanager.projects.get
resourcemanager.projects.list

Container Analysis Occurrences Editor

roles/containeranalysis.occurrences.editor

Can edit Container Analysis Occurrences.

containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
resourcemanager.projects.get
resourcemanager.projects.list

Container Analysis Occurrences Viewer

roles/containeranalysis.occurrences.viewer

Can view Container Analysis Occurrences.

containeranalysis.occurrences.get
containeranalysis.occurrences.list
resourcemanager.projects.get
resourcemanager.projects.list

Data Catalog Admin

roles/datacatalog.admin

Full access to all DataCatalog resources

bigquery.connections.get
bigquery.connections.updateTag
bigquery.datasets.get
bigquery.datasets.updateTag
bigquery.models.getMetadata
bigquery.models.updateTag
bigquery.routines.get
bigquery.routines.updateTag
bigquery.tables.get
bigquery.tables.updateTag
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.entries.*
datacatalog.entryGroups.*
datacatalog.tagTemplates.*
datacatalog.taxonomies.*
pubsub.topics.get
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list

Policy Tag Admin

roles/datacatalog.categoryAdmin

Manage taxonomies

datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.*
resourcemanager.projects.get
resourcemanager.projects.list

Fine-Grained Reader

roles/datacatalog.categoryFineGrainedReader

Read access to sub-resources tagged by a policy tag, for example, BigQuery columns

datacatalog.categories.fineGrainedGet

DataCatalog EntryGroup Creator

roles/datacatalog.entryGroupCreator

Can create new entryGroups

datacatalog.entryGroups.create
datacatalog.entryGroups.get
datacatalog.entryGroups.list
resourcemanager.projects.get
resourcemanager.projects.list

DataCatalog entryGroup Owner

roles/datacatalog.entryGroupOwner

Full access to entryGroups

datacatalog.entries.*
datacatalog.entryGroups.*
resourcemanager.projects.get
resourcemanager.projects.list

DataCatalog entry Owner

roles/datacatalog.entryOwner

Full access to entries

datacatalog.entries.*
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list

DataCatalog Entry Viewer

roles/datacatalog.entryViewer

Read access to entries

datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list

Data Catalog Tag Editor

roles/datacatalog.tagEditor

Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub

bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag
datacatalog.entries.updateTag
pubsub.topics.updateTag

Data Catalog TagTemplate Creator

roles/datacatalog.tagTemplateCreator

Access to create new tag templates

datacatalog.tagTemplates.create
datacatalog.tagTemplates.get

Data Catalog TagTemplate Owner

roles/datacatalog.tagTemplateOwner

Full access to tag templates

datacatalog.tagTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list

Data Catalog TagTemplate User

roles/datacatalog.tagTemplateUser

Access to use templates to tag resources

datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
resourcemanager.projects.get
resourcemanager.projects.list

Data Catalog TagTemplate Viewer

roles/datacatalog.tagTemplateViewer

Read access to templates and tags created using the templates

datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
resourcemanager.projects.get
resourcemanager.projects.list

Data Catalog Viewer

roles/datacatalog.viewer

Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub

bigquery.connections.get
bigquery.datasets.get
bigquery.models.getMetadata
bigquery.routines.get
bigquery.tables.get
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.entryGroups.list
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.taxonomies.get
datacatalog.taxonomies.list
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.list

Connector Admin

roles/dataconnectors.connectorAdmin

Full access to Data Connectors.

dataconnectors.*
resourcemanager.projects.get
resourcemanager.projects.list

Connector User

roles/dataconnectors.connectorUser

Access to use Data Connectors.

dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.use

Database Migration Admin

roles/datamigration.admin

Full access to all resources of Database Migration.

datamigration.*
resourcemanager.projects.get
resourcemanager.projects.list

Data pipelines Admin

roles/datapipelines.admin

Administrator of Data pipelines resources

datapipelines.*
resourcemanager.projects.get
resourcemanager.projects.list

Data pipelines Invoker

roles/datapipelines.invoker

Invoker of Data pipelines jobs

datapipelines.pipelines.run
resourcemanager.projects.get
resourcemanager.projects.list

Data pipelines Viewer

roles/datapipelines.viewer

Viewer of Data pipelines resources

datapipelines.jobs.*
datapipelines.pipelines.get
datapipelines.pipelines.list
resourcemanager.projects.get
resourcemanager.projects.list

Dataflow Admin

roles/dataflow.admin

Minimal role for creating and managing dataflow jobs.

compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.*
dataflow.metrics.*
dataflow.snapshots.*
recommender.dataflowDiagnosticsInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list

Dataflow Developer

roles/dataflow.developer

Provides the permissions necessary to execute and manipulate Dataflow jobs.

compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.*
dataflow.metrics.*
dataflow.snapshots.*
recommender.dataflowDiagnosticsInsights.*
resourcemanager.projects.get
resourcemanager.projects.list

Dataflow Viewer

roles/dataflow.viewer

Provides read-only access to all Dataflow-related resources.

dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.*
dataflow.metrics.*
dataflow.snapshots.get
dataflow.snapshots.list
recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
resourcemanager.projects.get
resourcemanager.projects.list

Dataflow Worker

roles/dataflow.worker

Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.

autoscaling.sites.readRecommendations
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
compute.instanceGroupManagers.update
compute.instances.delete
compute.instances.setDiskAutoDelete
dataflow.jobs.get
dataflow.shuffle.*
dataflow.streamingWorkItems.*
dataflow.workItems.*
logging.logEntries.create
storage.buckets.get
storage.objects.create
storage.objects.get

Dataprep User

roles/dataprep.projects.user

Use of Dataprep.

dataprep.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Dataproc Administrator

roles/dataproc.admin

Full control of Dataproc resources.

compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.*
dataproc.batches.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.operations.*
dataproc.workflowTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list

Dataproc Editor

roles/dataproc.editor

Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.

compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use
dataproc.batches.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
resourcemanager.projects.get
resourcemanager.projects.list

Dataproc Hub Agent

roles/dataproc.hubAgent

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

compute.instances.get
compute.instances.setMetadata
compute.instances.setTags
compute.zoneOperations.get
compute.zones.list
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.use
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.locations.*
logging.logEntries.create
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.*
logging.views.get
logging.views.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.get
storage.objects.list

Dataproc Viewer

roles/dataproc.viewer

Provides read-only access to Dataproc resources.

compute.machineTypes.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.list
dataproc.batches.get
dataproc.batches.list
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.get
dataproc.workflowTemplates.list
resourcemanager.projects.get
resourcemanager.projects.list

Dataproc Worker

roles/dataproc.worker

Provides worker access to Dataproc resources. Intended for service accounts.

dataproc.agents.*
dataproc.tasks.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.multipartUploads.*
storage.objects.*

Dataproc Metastore Admin

roles/metastore.admin

Full access to all Dataproc Metastore resources.

metastore.backups.*
metastore.imports.*
metastore.locations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.restore
metastore.services.setIamPolicy
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list

Dataproc Metastore Editor

roles/metastore.editor

Read and write access to all Dataproc Metastore resources.

metastore.backups.*
metastore.imports.*
metastore.locations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.restore
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list

Dataproc Metastore Metadata Editor

roles/metastore.metadataEditor

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.update
metastore.services.get
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.update

Dataproc Metastore Metadata Operator

roles/metastore.metadataOperator

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.*
metastore.imports.*
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.restore
resourcemanager.projects.get
resourcemanager.projects.list

Dataproc Metastore Data Owner

roles/metastore.metadataOwner

Full access to the metadata of databases and tables under those databases.

metastore.databases.*
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.use
metastore.tables.*

Dataproc Metastore Metadata User

roles/metastore.metadataUser

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get
metastore.databases.list
metastore.services.get
metastore.services.use

Dataproc Metastore Metadata Viewer

roles/metastore.metadataViewer

Access to read the metadata of databases and tables under those databases

metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.services.get
metastore.services.use
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list

Dataproc Metastore Viewer

roles/metastore.user

Read-only access to all Dataproc Metastore resources.

metastore.backups.get
metastore.backups.list
metastore.imports.get
metastore.imports.list
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Datastore Import Export Admin

roles/datastore.importExportAdmin

Provides full access to manage imports and exports.

appengine.applications.get
datastore.databases.export
datastore.databases.getMetadata
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Datastore Index Admin

roles/datastore.indexAdmin

Provides full access to manage index definitions.

appengine.applications.get
datastore.databases.getMetadata
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Datastore Key Visualizer Viewer

roles/datastore.keyVisualizerViewer

Full access to Key Visualizer scans.

datastore.databases.getMetadata
datastore.keyVisualizerScans.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Datastore Owner

roles/datastore.owner

Provides full access to Datastore resources.

appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Datastore User

roles/datastore.user

Provides read/write access to data in a Datastore database.

appengine.applications.get
datastore.databases.get
datastore.databases.getMetadata
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Datastore Viewer

roles/datastore.viewer

Provides read access to Datastore resources.

appengine.applications.get
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list

Datastream Admin

roles/datastream.admin

Full access to all Datastream resources.

datastream.*
resourcemanager.projects.get
resourcemanager.projects.list

Datastream Viewer

roles/datastream.viewer

Read-only access to all Datastream resources.

datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.sourceTypes
datastream.locations.*
datastream.objects.get
datastream.objects.list
datastream.operations.get
datastream.operations.list
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
resourcemanager.projects.get
resourcemanager.projects.list

Deployment Manager Editor

roles/deploymentmanager.editor

Provides the permissions necessary to create and manage deployments.

deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Deployment Manager Type Editor

roles/deploymentmanager.typeEditor

Provides read and write access to all Type Registry resources.

deploymentmanager.compositeTypes.*
deploymentmanager.operations.get
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get

Deployment Manager Type Viewer

roles/deploymentmanager.typeViewer

Provides read-only access to all Type Registry resources.

deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get

Deployment Manager Viewer

roles/deploymentmanager.viewer

Provides read-only access to all Deployment Manager-related resources.

deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

AAM Admin

roles/dialogflow.aamAdmin

An admin has access to all resources and can perform all administrative actions in an AAM project.

dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.*
dialogflow.operations.*
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list

AAM Conversational Architect

roles/dialogflow.aamConversationalArchitect

A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.

dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.*
dialogflow.operations.*
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list

AAM Dialog Designer

roles/dialogflow.aamDialogDesigner

A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.

dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.*
dialogflow.operations.*
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list

AAM Lead Dialog Designer

roles/dialogflow.aamLeadDialogDesigner

A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.

dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.*
dialogflow.operations.*
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list

AAM Viewer

roles/dialogflow.aamViewer

A user can view the taxonomy and data reports in an AAM project.

dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.*
dialogflow.operations.*
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list

Dialogflow API Admin

roles/dialogflow.admin

Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control.

dialogflow.*
resourcemanager.projects.get

Dialogflow API Client

roles/dialogflow.client

Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control.

dialogflow.contexts.*
dialogflow.conversations.*
dialogflow.messages.*
dialogflow.participants.*
dialogflow.sessionEntityTypes.*
dialogflow.sessions.*

Dialogflow Console Agent Editor

roles/dialogflow.consoleAgentEditor

Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control.

actions.agentVersions.create
dialogflow.*
resourcemanager.projects.get

Dialogflow Console Simulator User

roles/dialogflow.consoleSimulatorUser

Can perform query of dialogflow suggestions in the simulator in web console.

dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.participants.*
dialogflow.sessions.detectIntent
resourcemanager.projects.get
resourcemanager.projects.list

Dialogflow Console Smart Messaging Allowlist Editor

roles/dialogflow.consoleSmartMessagingAllowlistEditor

Can edit allowlist for smart messaging associated with conversation model in the agent assist console

dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.operations.*
dialogflow.smartMessagingEntries.*
resourcemanager.projects.get
resourcemanager.projects.list

Dialogflow Conversation Manager

roles/dialogflow.conversationManager

Can manage all the resources related to Dialogflow Conversations.

dialogflow.conversationProfiles.*
dialogflow.conversations.*
dialogflow.participants.*

Dialogflow Entity Type Admin

roles/dialogflow.entityTypeAdmin

Can read & write entity types.

dialogflow.entityTypes.*

Dialogflow Environment editor

roles/dialogflow.environmentEditor

Can read & update environment and its sub-resources.

dialogflow.environments.get
dialogflow.environments.getHistory
dialogflow.environments.list
dialogflow.environments.lookupHistory
dialogflow.environments.update

Dialogflow Flow editor

roles/dialogflow.flowEditor

Can read & update flow and its sub-resources.

dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.pages.*
dialogflow.transitionRouteGroups.*
dialogflow.versions.*

Dialogflow Integration Manager

roles/dialogflow.integrationManager

Can add, remove, enable and disable Dialogflow integrations.

dialogflow.integrations.*

Dialogflow Intent Admin

roles/dialogflow.intentAdmin

Can read & write intents.

dialogflow.intents.*

Dialogflow API Reader

roles/dialogflow.reader

Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control.

dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.*
dialogflow.operations.*
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get

Dialogflow Test Case Admin

roles/dialogflow.testCaseAdmin

Can read & write test cases.

Dialogflow Webhook Admin

roles/dialogflow.webhookAdmin

Can read & write webhooks.

dialogflow.webhooks.*

DNS Administrator

roles/dns.admin

Provides read-write access to all Cloud DNS resources.

compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list

DNS Peer

roles/dns.peer

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader

roles/dns.reader

Provides read-only access to all Cloud DNS resources.

compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.*
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicyRules.get
dns.responsePolicyRules.list
resourcemanager.projects.get
resourcemanager.projects.list

Document AI Administrator.

roles/documentai.admin

Grants full access to all resources in Document AI

documentai.*
resourcemanager.projects.get
resourcemanager.projects.list

Document AI API User

roles/documentai.apiUser

Grants access to process documents in Document AI

documentai.humanReviewConfigs.review
documentai.operations.*
documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
documentai.processors.processBatch
documentai.processors.processOnline

Document AI Editor

roles/documentai.editor

Grants access to use all resources in Document AI

documentai.*
resourcemanager.projects.get
resourcemanager.projects.list

Document AI Viewer

roles/documentai.viewer

Grants access to view all resources and process documents in Document AI

documentai.datasetSchemas.get
documentai.datasets.get
documentai.evaluations.get
documentai.evaluations.list
documentai.humanReviewConfigs.get
documentai.humanReviewConfigs.review
documentai.labelerPools.get
documentai.labelerPools.list
documentai.locations.*
documentai.operations.*
documentai.processorTypes.*
documentai.processorVersions.get
documentai.processorVersions.list
documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
documentai.processors.fetchHumanReviewDetails
documentai.processors.get
documentai.processors.list
documentai.processors.processBatch
documentai.processors.processOnline
resourcemanager.projects.get
resourcemanager.projects.list

Earth Engine Resource Admin

roles/earthengine.admin

Full access to all Earth Engine resource features

earthengine.*
resourcemanager.projects.get
resourcemanager.projects.list

Earth Engine Apps Publisher

roles/earthengine.appsPublisher

Publisher of Earth Engine Apps

iam.serviceAccounts.create
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy
resourcemanager.projects.get
serviceusage.services.get

Earth Engine Resource Viewer

roles/earthengine.viewer

Viewer of all Earth Engine resources

earthengine.assets.get
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.computations.*
earthengine.filmstripthumbnails.get
earthengine.maps.get
earthengine.operations.get
earthengine.operations.list
earthengine.tables.get
earthengine.thumbnails.get
earthengine.videothumbnails.get
resourcemanager.projects.get
resourcemanager.projects.list

Earth Engine Resource Writer

roles/earthengine.writer

Writer of all Earth Engine resources

earthengine.assets.create
earthengine.assets.delete
earthengine.assets.get
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.assets.update
earthengine.computations.*
earthengine.exports.*
earthengine.filmstripthumbnails.*
earthengine.imports.*
earthengine.maps.*
earthengine.operations.*
earthengine.tables.*
earthengine.thumbnails.*
earthengine.videothumbnails.*
resourcemanager.projects.get
resourcemanager.projects.list

Edge Container Admin

roles/edgecontainer.admin

Full access to Edge Container all resources.

edgecontainer.*
resourcemanager.projects.get
resourcemanager.projects.list

Edge Container Machine User

roles/edgecontainer.machineUser

Access to use Edge Container Machine resources.

edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.use
resourcemanager.projects.get
resourcemanager.projects.list

Edge Container Viewer

roles/edgecontainer.viewer

Read-only access to Edge Container all resources.

edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.locations.*
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
resourcemanager.projects.get
resourcemanager.projects.list

Endpoints Portal Admin

roles/endpoints.portalAdmin

Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Cloud Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.

endpoints.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get

Error Reporting Admin

roles/errorreporting.admin

Provides full access to Error Reporting data.

cloudnotifications.*
errorreporting.*
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

Error Reporting User

roles/errorreporting.user

Provides the permissions to read and write Error Reporting data, except for sending new error events.

cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.*
errorreporting.groups.*
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

Error Reporting Viewer

roles/errorreporting.viewer

Provides read-only access to Error Reporting data.

cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groups.*
logging.notificationRules.get
logging.notificationRules.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

Error Reporting Writer

roles/errorreporting.writer

Provides the permissions to send error events to Error Reporting.

errorreporting.errorEvents.create

Eventarc Admin

roles/eventarc.admin

Full control over all Eventarc resources.

eventarc.*
resourcemanager.projects.get
resourcemanager.projects.list

Eventarc Developer

roles/eventarc.developer

Access to read and write Eventarc resources.

eventarc.locations.*
eventarc.operations.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
resourcemanager.projects.get
resourcemanager.projects.list

Eventarc Event Receiver

roles/eventarc.eventReceiver

Can receive events from all event providers.

eventarc.events.*

Eventarc Viewer

roles/eventarc.viewer

Can view the state of all Eventarc resources, including IAM policies.

eventarc.locations.*
eventarc.operations.get
eventarc.operations.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Admin

roles/firebase.admin

Full access to Firebase products.

apikeys.keys.get
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.clients.update
cloudbuild.builds.get
cloudbuild.builds.list
cloudconfig.*
cloudfunctions.*
cloudmessaging.*
cloudnotifications.*
cloudtestservice.*
cloudtoolresults.*
datastore.*
errorreporting.groups.*
eventarc.*
fcmdata.*
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseappcheck.*
firebaseappdistro.*
firebaseauth.*
firebasecrash.*
firebasecrashlytics.*
firebasedatabase.*
firebasedynamiclinks.*
firebaseextensions.*
firebasehosting.*
firebaseinappmessaging.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebasepredictions.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
orgpolicy.policy.get
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Firebase Analytics Admin

roles/firebase.analyticsAdmin

Full access to Google Analytics for Firebase.

cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Firebase Analytics Viewer

roles/firebase.analyticsViewer

Read access to Google Analytics for Firebase.

cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Firebase Develop Admin

roles/firebase.developAdmin

Full access to Firebase Develop products and Analytics.

apikeys.keys.get
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudfunctions.*
cloudnotifications.*
datastore.*
errorreporting.groups.*
eventarc.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappcheck.*
firebaseauth.*
firebasedatabase.*
firebaseextensions.configs.list
firebasehosting.*
firebaseml.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
orgpolicy.policy.get
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Firebase Develop Viewer

roles/firebase.developViewer

Read access to Firebase Develop products and Analytics.

automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudfunctions.runtimes.*
cloudnotifications.*
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
eventarc.locations.*
eventarc.operations.get
eventarc.operations.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseappcheck.appAttestConfig.get
firebaseappcheck.debugTokens.get
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.recaptchaConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.services.get
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.instances.list
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
logging.logEntries.list
monitoring.timeSeries.list
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

Firebase Grow Admin

roles/firebase.growthAdmin

Full access to Firebase Grow products and Analytics.

clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudmessaging.*
cloudnotifications.*
fcmdata.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.configs.list
firebaseinappmessaging.*
firebasenotifications.*
firebasepredictions.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Firebase Grow Viewer

roles/firebase.growthViewer

Read access to Firebase Grow products and Analytics.

cloudconfig.configs.get
cloudnotifications.*
fcmdata.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasepredictions.predictions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Firebase Quality Admin

roles/firebase.qualityAdmin

Full access to Firebase Quality products and Analytics.

cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappdistro.*
firebasecrash.*
firebasecrashlytics.*
firebaseextensions.configs.list
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Firebase Quality Viewer

roles/firebase.qualityViewer

Read access to Firebase Quality products and Analytics.

cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebaseextensions.configs.list
firebaseperformance.data.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Firebase Viewer

roles/firebase.viewer

Read-only access to Firebase products.

automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudfunctions.runtimes.*
cloudnotifications.*
cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
eventarc.locations.*
eventarc.operations.get
eventarc.operations.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseappcheck.appAttestConfig.get
firebaseappcheck.debugTokens.get
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.recaptchaConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.services.get
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebaseperformance.data.*
firebasepredictions.predictions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
logging.logEntries.list
monitoring.timeSeries.list
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

Firebase Remote Config Admin

roles/cloudconfig.admin

Full access to Firebase Remote Config resources.

cloudconfig.*
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Remote Config Viewer

roles/cloudconfig.viewer

Read access to Firebase Remote Config resources.

cloudconfig.configs.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Test Lab Admin

roles/cloudtestservice.testAdmin

Full access to all Test Lab features

cloudtestservice.*
cloudtoolresults.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list

Firebase Test Lab Viewer

roles/cloudtestservice.testViewer

Read access to Test Lab features

cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

Firebase A/B Testing Admin

roles/firebaseabt.admin

Full read/write access to Firebase A/B Testing resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase A/B Testing Viewer

roles/firebaseabt.viewer

Read-only access to Firebase A/B Testing resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase App Check Admin

roles/firebaseappcheck.admin

Full management of Firebase App Check.

firebaseappcheck.*

Firebase App Check Viewer

roles/firebaseappcheck.viewer

Read-only access for Firebase App Check.

firebaseappcheck.appAttestConfig.get
firebaseappcheck.debugTokens.get
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.recaptchaConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.services.get

Firebase App Distribution Admin

roles/firebaseappdistro.admin

Full read/write access to Firebase App Distribution resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase App Distribution Viewer

roles/firebaseappdistro.viewer

Read-only access to Firebase App Distribution resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Authentication Admin

roles/firebaseauth.admin

Full read/write access to Firebase Authentication resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Authentication Viewer

roles/firebaseauth.viewer

Read-only access to Firebase Authentication resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.configs.get
firebaseauth.users.get
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Crashlytics Admin

roles/firebasecrashlytics.admin

Full read/write access to Firebase Crashlytics resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Crashlytics Viewer

roles/firebasecrashlytics.viewer

Read-only access to Firebase Crashlytics resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Realtime Database Admin

roles/firebasedatabase.admin

Full read/write access to Firebase Realtime Database resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Realtime Database Viewer

roles/firebasedatabase.viewer

Read-only access to Firebase Realtime Database resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.instances.get
firebasedatabase.instances.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Dynamic Links Admin

roles/firebasedynamiclinks.admin

Full read/write access to Firebase Dynamic Links resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Dynamic Links Viewer

roles/firebasedynamiclinks.viewer

Read-only access to Firebase Dynamic Links resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Hosting Admin

roles/firebasehosting.admin

Full read/write access to Firebase Hosting resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Hosting Viewer

roles/firebasehosting.viewer

Read-only access to Firebase Hosting resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.sites.get
firebasehosting.sites.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase In-App Messaging Admin

roles/firebaseinappmessaging.admin

Full read/write access to Firebase In-App Messaging resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase In-App Messaging Viewer

roles/firebaseinappmessaging.viewer

Read-only access to Firebase In-App Messaging resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase ML Kit Admin

roles/firebaseml.admin

Full read/write access to Firebase ML Kit resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase ML Kit Viewer

roles/firebaseml.viewer

Read-only access to Firebase ML Kit resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Cloud Messaging Admin

roles/firebasenotifications.admin

Full read/write access to Firebase Cloud Messaging resources.

fcmdata.*
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Cloud Messaging Viewer

roles/firebasenotifications.viewer

Read-only access to Firebase Cloud Messaging resources.

fcmdata.*
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications.messages.get
firebasenotifications.messages.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Performance Reporting Admin

roles/firebaseperformance.admin

Full access to firebaseperformance resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Performance Reporting Viewer

roles/firebaseperformance.viewer

Read-only access to firebaseperformance resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.data.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Predictions Admin

roles/firebasepredictions.admin

Full read/write access to Firebase Predictions resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasepredictions.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Predictions Viewer

roles/firebasepredictions.viewer

Read-only access to Firebase Predictions resources.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasepredictions.predictions.list
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Rules Admin

roles/firebaserules.admin

Full management of Firebase Rules.

firebaserules.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Rules Viewer

roles/firebaserules.viewer

Read-only access on all resources with the ability to test Rulesets.

firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Storage for Firebase Admin

roles/firebasestorage.admin

Full management of Cloud Storage for Firebase.

firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasestorage.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Storage for Firebase Viewer

roles/firebasestorage.viewer

Read-only access for Cloud Storage for Firebase.

firebasestorage.buckets.get
firebasestorage.buckets.list
resourcemanager.projects.get
resourcemanager.projects.list

Fleet Engine Consumer SDK User

roles/fleetengine.consumerSdkUser

Limited read access to Fleet Engine resources

fleetengine.trips.get
fleetengine.vehicles.get
fleetengine.vehicles.search
fleetengine.vehicles.searchFuzzed

Fleet Engine Delivery Consumer User

roles/fleetengine.deliveryConsumer

Limited read access to Fleet Engine Delivery resources

fleetengine.tasks.searchWithTrackingId

Fleet Engine Delivery Fleet Reader User

roles/fleetengine.deliveryFleetReader

Grants read access to all Fleet Engine Delivery resources

fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId

Fleet Engine Delivery Super User

roles/fleetengine.deliverySuperUser

Full access to Fleet Engine DeliveryVehicles and Tasks resources.

fleetengine.deliveryvehicles.*
fleetengine.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list

Fleet Engine Delivery Trusted Driver User

roles/fleetengine.deliveryTrustedDriver

Read and write access to Fleet Engine Delivery resources

fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops
fleetengine.tasks.create
fleetengine.tasks.update

Fleet Engine Delivery Untrusted Driver User

roles/fleetengine.deliveryUntrustedDriver

Limited write access to Fleet Engine Delivery Vehicle resources

fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.updateLocation

Fleet Engine Driver SDK User

roles/fleetengine.driverSdkUser

Read and limited update access to Fleet Engine resources

fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.vehicles.get
fleetengine.vehicles.updateLocation

Fleet Engine Service Super User

roles/fleetengine.serviceSuperUser

Full access to all Fleet Engine resources.

fleetengine.*
resourcemanager.projects.get
resourcemanager.projects.list

Genomics Admin

roles/genomics.admin

Full access to genomics datasets and operations.

genomics.*

Genomics Editor

roles/genomics.editor

Access to read and edit genomics datasets and operations.

genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*

Genomics Pipelines Runner

roles/genomics.pipelinesRunner

Full access to operate on genomics pipelines.

genomics.operations.*

Genomics Viewer

roles/genomics.viewer

Access to view genomics datasets and operations.

genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list

GKE Hub Admin

roles/gkehub.admin

Full access to GKE Hub resources.

gkehub.features.*
gkehub.fleet.*
gkehub.locations.*
gkehub.memberships.*
gkehub.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

GKE Connect Agent

roles/gkehub.connect

Ability to set up GKE Connect between external clusters and Google.

gkehub.endpoints.*

GKE Hub Editor

roles/gkehub.editor

Edit access to GKE Hub resources.

gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.update
gkehub.fleet.*
gkehub.locations.*
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Connect Gateway Admin

roles/gkehub.gatewayAdmin

Full access to Connect Gateway.

gkehub.gateway.*
serviceusage.services.get

Connect Gateway Reader

roles/gkehub.gatewayReader

Read-only access to Connect Gateway.

gkehub.gateway.get
serviceusage.services.get

GKE Hub Viewer

roles/gkehub.viewer

Read-only access to GKE Hubs and related resources.

gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.get
gkehub.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

GKE on-prem Admin

roles/gkeonprem.admin

Full access to GKE on-prem all resources.

gkeonprem.*
resourcemanager.projects.get
resourcemanager.projects.list

GKE on-prem Viewer

roles/gkeonprem.viewer

Read-only access to GKE on-prem all resources.

gkeonprem.locations.*
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
resourcemanager.projects.get
resourcemanager.projects.list

Google Workspace Add-ons Developer

roles/gsuiteaddons.developer

Full access to Google Workspace Add-ons resources

gsuiteaddons.*
resourcemanager.projects.get
resourcemanager.projects.list

Google Workspace Add-ons Reader

roles/gsuiteaddons.reader

Read-only access to Google Workspace Add-ons resources

gsuiteaddons.authorizations.*
gsuiteaddons.deployments.get
gsuiteaddons.deployments.list
resourcemanager.projects.get
resourcemanager.projects.list

Google Workspace Add-ons Tester

roles/gsuiteaddons.tester

Testing execution access to Google Workspace Add-ons resources

gsuiteaddons.deployments.execute
gsuiteaddons.deployments.install
gsuiteaddons.deployments.installStatus
gsuiteaddons.deployments.uninstall
resourcemanager.projects.get
resourcemanager.projects.list

Chat Bots Owner

roles/chat.owner

Can view and modify bot configurations

chat.*

Chat Bots Viewer

roles/chat.reader

Can view bot configurations

chat.bots.get

Deny Admin

roles/iam.denyAdmin

Deny admin role, with permissions to read and modify deny policies

iam.denypolicies.*

Deny Reviewer

roles/iam.denyReviewer

Deny Reviewer role, with permissions to read deny policies

iam.denypolicies.get
iam.denypolicies.list

Security Admin

roles/iam.securityAdmin

Security admin role, with permissions to get and set any IAM policy.

accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.setIamPolicy
accesscontextmanager.accessZones.list
accesscontextmanager.gcpUserAccessBindings.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.setIamPolicy
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
advisorynotifications.notifications.list
aiplatform.annotationSpecs.list
aiplatform.annotations.list
aiplatform.artifacts.list
aiplatform.batchPredictionJobs.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform.dataLabelingJobs.list
aiplatform.datasets.list
aiplatform.deploymentResourcePools.list
aiplatform.edgeDeploymentJobs.list
aiplatform.edgeDevices.list
aiplatform.endpoints.list
aiplatform.entityTypes.list
aiplatform.executions.list
aiplatform.features.list
aiplatform.featurestores.list
aiplatform.humanInTheLoops.list
aiplatform.hyperparameterTuningJobs.list
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform.metadataSchemas.list
aiplatform.metadataStores.list
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.modelEvaluationSlices.list
aiplatform.modelEvaluations.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform.operations.*
aiplatform.pipelineJobs.list
aiplatform.specialistPools.list
aiplatform.studies.list
aiplatform.tensorboardExperiments.list
aiplatform.tensorboardRuns.list
aiplatform.tensorboardTimeSeries.list
aiplatform.tensorboards.list
aiplatform.trainingPipelines.list
aiplatform.trials.list
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apiconfigs.setIamPolicy
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.gateways.setIamPolicy
apigateway.locations.list
apigateway.operations.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.developersubscriptions.list
apigee.envgroupattachments.list
apigee.envgroups.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.environments.setIamPolicy
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee.hostsecurityreports.list
apigee.instanceattachments.list
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityreports.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
apigeeconnect.connections.*
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.deployments.list
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apikeys.keys.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
artifactregistry.dockerimages.list
artifactregistry.files.list
artifactregistry.packages.list
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.repositories.setIamPolicy
artifactregistry.tags.list
artifactregistry.versions.list
assuredworkloads.operations.list
assuredworkloads.violations.list
assuredworkloads.workload.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.list
autoscaling.sites.getIamPolicy
autoscaling.sites.setIamPolicy
baremetalsolution.instances.list
baremetalsolution.luns.list
baremetalsolution.networks.list
baremetalsolution.nfsshares.list
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.volumes.list
baremetalsolution.volumesnapshots.list
bigquery.capacityCommitments.list
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.reservationAssignments.list
bigquery.reservations.list
bigquery.routines.list
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy
bigquerymigration.locations.list
bigquerymigration.subtasks.list
bigquerymigration.workflows.list
bigtable.appProfiles.list
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.setIamPolicy
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.instances.setIamPolicy
bigtable.keyvisualizer.list
bigtable.locations.*
bigtable.tables.getIamPolicy
bigtable.tables.list
bigtable.tables.setIamPolicy
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.platformPolicies.list
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.locations.list
certificatemanager.operations.list
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.assets.searchAllResources
cloudasset.feeds.list
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild.integrations.list
cloudbuild.workerpools.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.setIamPolicy
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudfunctions.runtimes.*
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudiot.registries.setIamPolicy
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.setIamPolicy
cloudkms.locations.list
cloudnotifications.*
cloudonefs.isiloncloud.com/clusters.list
cloudonefs.isiloncloud.com/fileshares.list
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogAssociations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprivatecatalogproducer.products.setIamPolicy
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudsupport.accounts.setIamPolicy
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.setIamPolicy
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp.com/activeDirectories.list
cloudvolumesgcp-api.netapp.com/ipRanges.*
cloudvolumesgcp-api.netapp.com/jobs.list
cloudvolumesgcp-api.netapp.com/regions.*
cloudvolumesgcp-api.netapp.com/serviceLevels.*
cloudvolumesgcp-api.netapp.com/snapshots.list
cloudvolumesgcp-api.netapp.com/volumes.list
commerceprice.privateoffers.list
composer.dags.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.backendServices.setIamPolicy
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setIamPolicy
compute.externalVpnGateways.list
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.setIamPolicy
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalNetworkEndpointGroups.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.images.setIamPolicy
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.maintenancePolicies.setIamPolicy
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeGroups.setIamPolicy
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTemplates.setIamPolicy
compute.nodeTypes.list
compute.packetMirrorings.list
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionBackendServices.setIamPolicy
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionHealthCheckServices.list
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.list
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.setIamPolicy
compute.serviceAttachments.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.setIamPolicy
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zoneOperations.setIamPolicy
compute.zones.list
connectors.connections.getIamPolicy
connectors.connections.list
connectors.connections.setIamPolicy
connectors.connectors.list
connectors.locations.list
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement.accounts.list
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.list
consumerprocurement.orders.list
contactcenterinsights.analyses.list
contactcenterinsights.conversations.list
contactcenterinsights.issueModels.list
contactcenterinsights.issues.list
contactcenterinsights.operations.list
contactcenterinsights.phraseMatchers.list
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.leases.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.managedCertificates.list
container.mutatingWebhookConfigurations.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container.storageVersionMigrations.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
container.updateInfos.list
container.validatingWebhookConfigurations.list
container.volumeAttachments.list
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.list
container.volumeSnapshots.list
containeranalysis.notes.getIamPolicy
containeranalysis.notes.list
containeranalysis.notes.setIamPolicy
containeranalysis.occurrences.getIamPolicy
containeranalysis.occurrences.list
containeranalysis.occurrences.setIamPolicy
contentwarehouse.documentSchemas.list
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.setIamPolicy
contentwarehouse.ruleSets.list
contentwarehouse.synonymSets.list
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entries.setIamPolicy
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.list
datacatalog.entryGroups.setIamPolicy
datacatalog.tagTemplates.getIamPolicy
datacatalog.tagTemplates.setIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.*
dataflow.snapshots.list
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.setIamPolicy
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datamigration.connectionprofiles.getIamPolicy
datamigration.connectionprofiles.list
datamigration.connectionprofiles.setIamPolicy
datamigration.locations.list
datamigration.migrationjobs.getIamPolicy
datamigration.migrationjobs.list
datamigration.migrationjobs.setIamPolicy
datamigration.operations.list
datapipelines.jobs.*
datapipelines.pipelines.list
dataplex.assetActions.*
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.entities.list
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.lakeActions.*
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.locations.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.zoneActions.*
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataproc.agents.list
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.setIamPolicy
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataprocessing.datasources.list
dataprocessing.featurecontrols.list
dataprocessing.groupcontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.databases.setIamPolicy
datastore.entities.list
datastore.indexes.list
datastore.keyVisualizerScans.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.namespaces.setIamPolicy
datastore.operations.list
datastore.statistics.list
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.setIamPolicy
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.setIamPolicy
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.setIamPolicy
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.deployments.setIamPolicy
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow.conversationDatasets.list
dialogflow.conversationModels.list
dialogflow.conversationProfiles.list
dialogflow.conversations.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.flows.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.list
dialogflow.pages.list
dialogflow.participants.list
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.list
dialogflow.versions.list
dialogflow.webhooks.list
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.inspectFindings.*
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.policies.setIamPolicy
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai.processorVersions.list
documentai.processors.list
domains.locations.list
domains.operations.list
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.setIamPolicy
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerAllowlists.list
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.assets.setIamPolicy
earthengine.operations.list
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.locations.list
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.operations.list
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
essentialcontacts.contacts.list
eventarc.locations.list
eventarc.operations.list
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
fcmdata.*
file.backups.list
file.instances.list
file.locations.list
file.operations.list
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine.deliveryvehicles.list
fleetengine.tasks.list
fleetengine.vehicles.list
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.list
gameservices.locations.list
gameservices.operations.list
gameservices.realms.list
gcp.redisenterprise.com/databases.list
gcp.redisenterprise.com/subscriptions.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.operations.list
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backupPlans.setIamPolicy
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restorePlans.setIamPolicy
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.gateway.getIamPolicy
gkehub.gateway.setIamPolicy
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.setIamPolicy
gkehub.operations.list
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.list
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.list
gkemulticloud.azureNodePools.list
gkemulticloud.operations.list
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gsuiteaddons.deployments.list
healthcare.annotationStores.getIamPolicy
healthcare.annotationStores.list
healthcare.annotationStores.setIamPolicy
healthcare.annotations.list
healthcare.attributeDefinitions.list
healthcare.consentArtifacts.list
healthcare.consentStores.getIamPolicy
healthcare.consentStores.list
healthcare.consentStores.setIamPolicy
healthcare.consents.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.datasets.setIamPolicy
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.hl7V2Stores.setIamPolicy
healthcare.locations.list
healthcare.operations.list
healthcare.userDataMappings.list
iam.denypolicies.list
iam.googleapis.com/workloadIdentityPoolProviders.list
iam.googleapis.com/workloadIdentityPools.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.endpoints.setIamPolicy
ids.locations.list
ids.operations.list
integrations.apigeeAuthConfigs.list
integrations.apigeeCertificates.list
integrations.apigeeExecutions.*
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrations.list
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcInstances.list
integrations.apigeeSuspensions.list
integrations.securityAuthConfigs.list
integrations.securityExecutions.list
integrations.securityIntegTempVers.list
integrations.securityIntegrationVers.list
integrations.securityIntegrations.list
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.locations.list
krmapihosting.operations.list
lifesciences.operations.list
livestream.channels.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.*
logging.queries.list
logging.sinks.list
logging.views.list
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.domains.setIamPolicy
managedidentities.locations.list
managedidentities.operations.list
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.peerings.setIamPolicy
managedidentities.sqlintegrations.list
memcache.instances.list
memcache.locations.list
memcache.operations.list
metastore.backups.list
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.imports.list
metastore.locations.list
metastore.operations.list
metastore.services.getIamPolicy
metastore.services.list
metastore.services.setIamPolicy
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.models.setIamPolicy
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.studies.setIamPolicy
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.services.list
monitoring.slos.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.setIamPolicy
networkconnectivity.locations.list
networkconnectivity.operations.list
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.connectivitytests.setIamPolicy
networkmanagement.locations.list
networkmanagement.operations.list
networksecurity.authorizationPolicies.getIamPolicy
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.setIamPolicy
networksecurity.clientTlsPolicies.getIamPolicy
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.setIamPolicy
networksecurity.locations.list
networksecurity.operations.list
networksecurity.serverTlsPolicies.getIamPolicy
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.setIamPolicy
networkservices.endpointConfigSelectors.getIamPolicy
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.setIamPolicy
networkservices.endpointPolicies.getIamPolicy
networkservices.endpointPolicies.list
networkservices.endpointPolicies.setIamPolicy
networkservices.gateways.list
networkservices.grpcRoutes.getIamPolicy
networkservices.grpcRoutes.list
networkservices.grpcRoutes.setIamPolicy
networkservices.httpFilters.getIamPolicy
networkservices.httpFilters.list
networkservices.httpFilters.setIamPolicy
networkservices.httpRoutes.getIamPolicy
networkservices.httpRoutes.list
networkservices.httpRoutes.setIamPolicy
networkservices.httpfilters.getIamPolicy
networkservices.httpfilters.list
networkservices.httpfilters.setIamPolicy
networkservices.locations.list
networkservices.meshes.getIamPolicy
networkservices.meshes.list
networkservices.meshes.setIamPolicy
networkservices.operations.list
networkservices.serviceBindings.list
networkservices.tcpRoutes.getIamPolicy
networkservices.tcpRoutes.list
networkservices.tcpRoutes.setIamPolicy
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.environments.setIamPolicy
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.executions.setIamPolicy
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.instances.setIamPolicy
notebooks.locations.list
notebooks.operations.list
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.runtimes.setIamPolicy
notebooks.schedules.getIamPolicy
notebooks.schedules.list
notebooks.schedules.setIamPolicy
ondemandscanning.operations.list
opsconfigmonitoring.resourceMetadata.list
orgpolicy.constraints.*
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig.instanceOSPoliciesCompliances.list
osconfig.inventories.list
osconfig.osPolicyAssignmentReports.list
osconfig.osPolicyAssignments.list
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig.vulnerabilityReports.list
paymentsresellersubscription.products.*
paymentsresellersubscription.promotions.*
policysimulator.*
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.setIamPolicy
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.setIamPolicy
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.setIamPolicy
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.setIamPolicy
privateca.locations.list
privateca.operations.list
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.setIamPolicy
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.beacons.setIamPolicy
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
proximitybeacon.namespaces.setIamPolicy
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.setIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.setIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise.keys.list
recaptchaenterprise.relatedaccountgroupmemberships.*
recaptchaenterprise.relatedaccountgroups.*
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.cloudAssetInsights.list
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.commitmentUtilizationInsights.list
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeDiskIdleResourceInsights.list
recommender.computeDiskIdleResourceRecommendations.list
recommender.computeFirewallInsights.list
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceRecommendations.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.dataflowDiagnosticsInsights.list
recommender.errorReportingInsights.list
recommender.errorReportingRecommendations.list
recommender.iamPolicyInsights.list
recommender.iamPolicyLateralMovementInsights.list
recommender.iamPolicyRecommendations.list
recommender.iamServiceAccountInsights.list
recommender.locations.list
recommender.loggingProductSuggestionContainerInsights.list
recommender.loggingProductSuggestionContainerRecommendations.list
recommender.monitoringProductSuggestionComputeInsights.list
recommender.monitoringProductSuggestionComputeRecommendations.list
recommender.resourcemanagerProjectUtilizationInsights.list
recommender.resourcemanagerProjectUtilizationRecommendations.list
recommender.usageCommitmentRecommendations.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
resourcemanager.tagHolds.list
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagKeys.setIamPolicy
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.list
resourcemanager.tagValues.setIamPolicy
resourcesettings.settings.list
retail.catalogs.list
retail.controls.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
run.configurations.list
run.locations.*
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.configs.setIamPolicy
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.variables.setIamPolicy
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
runtimeconfig.waiters.setIamPolicy
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.secrets.setIamPolicy
secretmanager.versions.list
securitycenter.assets.list
securitycenter.bigQueryExports.list
securitycenter.findings.list
securitycenter.muteconfigs.list
securitycenter.notificationconfig.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
securitycenter.sources.setIamPolicy
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.bindings.setIamPolicy
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.catalogs.setIamPolicy
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
servicebroker.instances.setIamPolicy
serviceconsumermanagement.tenancyu.list
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.setIamPolicy
servicedirectory.locations.list
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.setIamPolicy
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.setIamPolicy
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicemanagement.services.setIamPolicy
servicenetworking.operations.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
source.repos.setIamPolicy
spanner.backupOperations.list
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.setIamPolicy
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.setIamPolicy
spanner.sessions.list
speech.customClasses.list
speech.phraseSets.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.hmacKeys.list
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storagetransfer.agentpools.list
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher.liveAdTagDetails.list
videostitcher.slates.list
videostitcher.vodAdTagDetails.list
videostitcher.vodStitchDetails.list
visualinspection.annotationSets.list
visualinspection.annotationSpecs.list
visualinspection.annotations.list
visualinspection.datasets.list
visualinspection.images.list
visualinspection.locations.list
visualinspection.modelEvaluations.list
visualinspection.models.list
visualinspection.modules.list
visualinspection.operations.list
visualinspection.solutionArtifacts.list
visualinspection.solutions.list
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.datacenterConnectors.list
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration.sources.list
vmmigration.targets.list
vmmigration.utilizationReports.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.workflows.list

Security Reviewer

roles/iam.securityReviewer

Provides permissions to list all resources and IAM policies on them.

accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.list
accesscontextmanager.gcpUserAccessBindings.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
advisorynotifications.notifications.list
aiplatform.annotationSpecs.list
aiplatform.annotations.list
aiplatform.artifacts.list
aiplatform.batchPredictionJobs.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform.dataLabelingJobs.list
aiplatform.datasets.list
aiplatform.deploymentResourcePools.list
aiplatform.edgeDeploymentJobs.list
aiplatform.edgeDevices.list
aiplatform.endpoints.list
aiplatform.entityTypes.list
aiplatform.executions.list
aiplatform.features.list
aiplatform.featurestores.list
aiplatform.humanInTheLoops.list
aiplatform.hyperparameterTuningJobs.list
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform.metadataSchemas.list
aiplatform.metadataStores.list
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.modelEvaluationSlices.list
aiplatform.modelEvaluations.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform.operations.*
aiplatform.pipelineJobs.list
aiplatform.specialistPools.list
aiplatform.studies.list
aiplatform.tensorboardExperiments.list
aiplatform.tensorboardRuns.list
aiplatform.tensorboardTimeSeries.list
aiplatform.tensorboards.list
aiplatform.trainingPipelines.list
aiplatform.trials.list
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.getIamPolicy
analyticshub.listings.list
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.list
apigateway.operations.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.developersubscriptions.list
apigee.envgroupattachments.list
apigee.envgroups.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee.hostsecurityreports.list
apigee.instanceattachments.list
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityreports.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
apigeeconnect.connections.*
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.deployments.list
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apikeys.keys.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
artifactregistry.dockerimages.list
artifactregistry.files.list
artifactregistry.packages.list
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.tags.list
artifactregistry.versions.list
assuredworkloads.operations.list
assuredworkloads.violations.list
assuredworkloads.workload.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.list
autoscaling.sites.getIamPolicy
baremetalsolution.instances.list
baremetalsolution.luns.list
baremetalsolution.networks.list
baremetalsolution.nfsshares.list
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.volumes.list
baremetalsolution.volumesnapshots.list
bigquery.capacityCommitments.list
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.reservationAssignments.list
bigquery.reservations.list
bigquery.routines.list
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquerymigration.locations.list
bigquerymigration.subtasks.list
bigquerymigration.workflows.list
bigtable.appProfiles.list
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.keyvisualizer.list
bigtable.locations.*
bigtable.tables.getIamPolicy
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.platformPolicies.list
binaryauthorization.policy.getIamPolicy
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.locations.list
certificatemanager.operations.list
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild.integrations.list
cloudbuild.workerpools.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudfunctions.runtimes.*
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.locations.list
cloudnotifications.*
cloudonefs.isiloncloud.com/clusters.list
cloudonefs.isiloncloud.com/fileshares.list
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogAssociations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp.com/activeDirectories.list
cloudvolumesgcp-api.netapp.com/ipRanges.*
cloudvolumesgcp-api.netapp.com/jobs.list
cloudvolumesgcp-api.netapp.com/regions.*
cloudvolumesgcp-api.netapp.com/serviceLevels.*
cloudvolumesgcp-api.netapp.com/snapshots.list
cloudvolumesgcp-api.netapp.com/volumes.list
commerceprice.privateoffers.list
composer.dags.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.list
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalNetworkEndpointGroups.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.packetMirrorings.list
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.list
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.list
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.list
connectors.connections.getIamPolicy
connectors.connections.list
connectors.connectors.list
connectors.locations.list
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement.accounts.list
consumerprocurement.entitlements.list
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.list
consumerprocurement.orders.list
contactcenterinsights.analyses.list
contactcenterinsights.conversations.list
contactcenterinsights.issueModels.list
contactcenterinsights.issues.list
contactcenterinsights.operations.list
contactcenterinsights.phraseMatchers.list
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.leases.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.managedCertificates.list
container.mutatingWebhookConfigurations.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container.storageVersionMigrations.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
container.updateInfos.list
container.validatingWebhookConfigurations.list
container.volumeAttachments.list
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.list
container.volumeSnapshots.list
containeranalysis.notes.getIamPolicy
containeranalysis.notes.list
containeranalysis.occurrences.getIamPolicy
containeranalysis.occurrences.list
contentwarehouse.documentSchemas.list
contentwarehouse.documents.getIamPolicy
contentwarehouse.ruleSets.list
contentwarehouse.synonymSets.list
datacatalog.categories.getIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.list
datacatalog.tagTemplates.getIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.*
dataflow.snapshots.list
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datamigration.connectionprofiles.getIamPolicy
datamigration.connectionprofiles.list
datamigration.locations.list
datamigration.migrationjobs.getIamPolicy
datamigration.migrationjobs.list
datamigration.operations.list
datapipelines.jobs.*
datapipelines.pipelines.list
dataplex.assetActions.*
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.entities.list
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.lakeActions.*
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.locations.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.*
dataplex.zones.getIamPolicy
dataplex.zones.list
dataproc.agents.list
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataprocessing.datasources.list
dataprocessing.featurecontrols.list
dataprocessing.groupcontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.keyVisualizerScans.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.routes.getIamPolicy
datastream.routes.list
datastream.streams.getIamPolicy
datastream.streams.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow.conversationDatasets.list
dialogflow.conversationModels.list
dialogflow.conversationProfiles.list
dialogflow.conversations.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.flows.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.list
dialogflow.pages.list
dialogflow.participants.list
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.list
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.list
dialogflow.versions.list
dialogflow.webhooks.list
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.inspectFindings.*
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai.processorVersions.list
documentai.processors.list
domains.locations.list
domains.operations.list
domains.registrations.getIamPolicy
domains.registrations.list
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerAllowlists.list
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.operations.list
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.locations.list
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.operations.list
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
essentialcontacts.contacts.list
eventarc.locations.list
eventarc.operations.list
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.*
file.backups.list
file.instances.list
file.locations.list
file.operations.list
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine.deliveryvehicles.list
fleetengine.tasks.list
fleetengine.vehicles.list
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.list
gameservices.locations.list
gameservices.operations.list
gameservices.realms.list
gcp.redisenterprise.com/databases.list
gcp.redisenterprise.com/subscriptions.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.gateway.getIamPolicy
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.list
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.list
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.list
gkemulticloud.azureNodePools.list
gkemulticloud.operations.list
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gsuiteaddons.deployments.list
healthcare.annotationStores.getIamPolicy
healthcare.annotationStores.list
healthcare.annotations.list
healthcare.attributeDefinitions.list
healthcare.consentArtifacts.list
healthcare.consentStores.getIamPolicy
healthcare.consentStores.list
healthcare.consents.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.locations.list
healthcare.operations.list
healthcare.userDataMappings.list
iam.denypolicies.list
iam.googleapis.com/workloadIdentityPoolProviders.list
iam.googleapis.com/workloadIdentityPools.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.list
ids.operations.list
integrations.apigeeAuthConfigs.list
integrations.apigeeCertificates.list
integrations.apigeeExecutions.*
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrations.list
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcInstances.list
integrations.apigeeSuspensions.list
integrations.securityAuthConfigs.list
integrations.securityExecutions.list
integrations.securityIntegTempVers.list
integrations.securityIntegrationVers.list
integrations.securityIntegrations.list
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.locations.list
krmapihosting.operations.list
lifesciences.operations.list
livestream.channels.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.*
logging.queries.list
logging.sinks.list
logging.views.list
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.list
managedidentities.operations.list
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.sqlintegrations.list
memcache.instances.list
memcache.locations.list
memcache.operations.list
metastore.backups.list
metastore.databases.getIamPolicy
metastore.databases.list
metastore.imports.list
metastore.locations.list
metastore.operations.list
metastore.services.getIamPolicy
metastore.services.list
metastore.tables.getIamPolicy
metastore.tables.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.services.list
monitoring.slos.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.locations.list
networkconnectivity.operations.list
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.locations.list
networkmanagement.operations.list
networksecurity.authorizationPolicies.getIamPolicy
networksecurity.authorizationPolicies.list
networksecurity.clientTlsPolicies.getIamPolicy
networksecurity.clientTlsPolicies.list
networksecurity.locations.list
networksecurity.operations.list
networksecurity.serverTlsPolicies.getIamPolicy
networksecurity.serverTlsPolicies.list
networkservices.endpointConfigSelectors.getIamPolicy
networkservices.endpointConfigSelectors.list
networkservices.endpointPolicies.getIamPolicy
networkservices.endpointPolicies.list
networkservices.gateways.list
networkservices.grpcRoutes.getIamPolicy
networkservices.grpcRoutes.list
networkservices.httpFilters.getIamPolicy
networkservices.httpFilters.list
networkservices.httpRoutes.getIamPolicy
networkservices.httpRoutes.list
networkservices.httpfilters.getIamPolicy
networkservices.httpfilters.list
networkservices.locations.list
networkservices.meshes.getIamPolicy
networkservices.meshes.list
networkservices.operations.list
networkservices.serviceBindings.list
networkservices.tcpRoutes.getIamPolicy
networkservices.tcpRoutes.list
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.list
notebooks.operations.list
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.schedules.getIamPolicy
notebooks.schedules.list
ondemandscanning.operations.list
opsconfigmonitoring.resourceMetadata.list
orgpolicy.constraints.*
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig.instanceOSPoliciesCompliances.list
osconfig.inventories.list
osconfig.osPolicyAssignmentReports.list
osconfig.osPolicyAssignments.list
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig.vulnerabilityReports.list
paymentsresellersubscription.products.*
paymentsresellersubscription.promotions.*
policysimulator.replayResults.*
policysimulator.replays.list
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.locations.list
privateca.operations.list
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise.keys.list
recaptchaenterprise.relatedaccountgroupmemberships.*
recaptchaenterprise.relatedaccountgroups.*
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.cloudAssetInsights.list
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.commitmentUtilizationInsights.list
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeDiskIdleResourceInsights.list
recommender.computeDiskIdleResourceRecommendations.list
recommender.computeFirewallInsights.list
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceRecommendations.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.dataflowDiagnosticsInsights.list
recommender.errorReportingInsights.list
recommender.errorReportingRecommendations.list
recommender.iamPolicyInsights.list
recommender.iamPolicyLateralMovementInsights.list
recommender.iamPolicyRecommendations.list
recommender.iamServiceAccountInsights.list
recommender.locations.list
recommender.loggingProductSuggestionContainerInsights.list
recommender.loggingProductSuggestionContainerRecommendations.list
recommender.monitoringProductSuggestionComputeInsights.list
recommender.monitoringProductSuggestionComputeRecommendations.list
recommender.resourcemanagerProjectUtilizationInsights.list
recommender.resourcemanagerProjectUtilizationRecommendations.list
recommender.usageCommitmentRecommendations.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.tagHolds.list
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.list
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.list
resourcesettings.settings.list
retail.catalogs.list
retail.controls.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
run.configurations.list
run.locations.*
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.versions.list
securitycenter.assets.list
securitycenter.bigQueryExports.list
securitycenter.findings.list
securitycenter.muteconfigs.list
securitycenter.notificationconfig.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
serviceconsumermanagement.tenancyu.list
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.locations.list
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicenetworking.operations.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.backupOperations.list
spanner.backups.getIamPolicy
spanner.backups.list
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
speech.customClasses.list
speech.phraseSets.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.hmacKeys.list
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storagetransfer.agentpools.list
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher.liveAdTagDetails.list
videostitcher.slates.list
videostitcher.vodAdTagDetails.list
videostitcher.vodStitchDetails.list
visualinspection.annotationSets.list
visualinspection.annotationSpecs.list
visualinspection.annotations.list
visualinspection.datasets.list
visualinspection.images.list
visualinspection.locations.list
visualinspection.modelEvaluations.list
visualinspection.models.list
visualinspection.modules.list
visualinspection.operations.list
visualinspection.solutionArtifacts.list
visualinspection.solutions.list
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.datacenterConnectors.list
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration.sources.list
vmmigration.targets.list
vmmigration.utilizationReports.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.workflows.list

Config Controller Admin

roles/krmapihosting.admin

Full access to all Config Controller resources.

krmapihosting.*
resourcemanager.projects.get
resourcemanager.projects.list

Config Controller Viewer

roles/krmapihosting.viewer

Read-only access to all Config Controller resources.

krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.locations.*
krmapihosting.operations.get
krmapihosting.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Kubernetes Engine Admin

roles/container.admin

Provides access to full management of clusters and their Kubernetes API objects. To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.

container.*
resourcemanager.projects.get
resourcemanager.projects.list

Kubernetes Engine Cluster Admin

roles/container.clusterAdmin

Provides access to management of clusters. To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.

container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Kubernetes Engine Cluster Viewer

roles/container.clusterViewer

Provides access to get and list GKE clusters.

container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list

Kubernetes Engine Developer

roles/container.developer

Provides access to Kubernetes API objects inside clusters.

container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.managedCertificates.*
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.selfSubjectRulesReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.storageVersionMigrations.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
container.updateInfos.*
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.*
container.volumeSnapshotClasses.*
container.volumeSnapshotContents.*
container.volumeSnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list

Kubernetes Engine Host Service Agent User

roles/container.hostServiceAgentUser

Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.

compute.firewalls.get
container.hostServiceAgent.*
dns.networks.bindDNSResponsePolicy
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.responsePolicies.*
dns.responsePolicyRules.*

Kubernetes Engine Viewer

roles/container.viewer

Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.

container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list

Live Stream Editor

roles/livestream.editor

Full access to Live Stream resources.

livestream.*
resourcemanager.projects.get
resourcemanager.projects.list

Live Stream Viewer

roles/livestream.viewer

Read access to Live Stream resources.

livestream.channels.get
livestream.channels.list
livestream.events.get
livestream.events.list
livestream.inputs.get
livestream.inputs.list
livestream.locations.*
livestream.operations.get
livestream.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Logging Admin

roles/logging.admin

Provides all permissions necessary to use all features of Cloud Logging.

logging.buckets.copyLogEntries
logging.buckets.create
logging.buckets.delete
logging.buckets.get
logging.buckets.list
logging.buckets.undelete
logging.buckets.update
logging.cmekSettings.*
logging.exclusions.*
logging.fields.*
logging.locations.*
logging.logEntries.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.*
logging.notificationRules.*
logging.operations.*
logging.privateLogEntries.*
logging.queries.*
logging.sinks.*
logging.usage.*
logging.views.*
resourcemanager.projects.get
resourcemanager.projects.list

Logs Bucket Writer

roles/logging.bucketWriter

Ability to write logs to a log bucket.

logging.buckets.write

Logs Configuration Writer

roles/logging.configWriter

Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.

logging.buckets.create
logging.buckets.delete
logging.buckets.get
logging.buckets.list
logging.buckets.undelete
logging.buckets.update
logging.cmekSettings.*
logging.exclusions.*
logging.locations.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.sinks.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.update
resourcemanager.projects.get
resourcemanager.projects.list

Log Field Accessor

roles/logging.fieldAccessor

Ability to read restricted fields in a log bucket.

logging.fields.*

Logs Writer

roles/logging.logWriter

Provides the permissions to write log entries.

logging.logEntries.create

Private Logs Viewer

roles/logging.privateLogViewer

Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.

logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.*
logging.views.access
logging.views.get
logging.views.list
resourcemanager.projects.get

Logs View Accessor

roles/logging.viewAccessor

Ability to read logs in a view.

logging.logEntries.download
logging.views.access
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues

Logs Viewer

roles/logging.viewer

Provides access to view logs.

logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.*
logging.views.get
logging.views.list
resourcemanager.projects.get

Cloud Memorystore Memcached Admin

roles/memcache.admin

Full access to Memcached instances and related resources.

compute.networks.list
memcache.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Memorystore Memcached Editor

roles/memcache.editor

Read-Write access to Memcached instances and related resources.

memcache.instances.applyParameters
memcache.instances.get
memcache.instances.list
memcache.instances.update
memcache.instances.updateParameters
memcache.locations.*
memcache.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Memorystore Memcached Viewer

roles/memcache.viewer

Read-only access to Memcached instances and related resources.

memcache.instances.get
memcache.instances.list
memcache.locations.*
memcache.operations.get
memcache.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Memorystore Redis Admin

roles/redis.admin

Full control for all Memorystore for Redis resources.

compute.networks.list
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use

Cloud Memorystore Redis Editor

roles/redis.editor

Manage Memorystore for Redis instances. Can't create or delete instances.

compute.networks.list
redis.instances.failover
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use

Cloud Memorystore Redis Viewer

roles/redis.viewer

Read-only access to all Memorystore for Redis resources.

redis.instances.get
redis.instances.list
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use

Mesh Config Admin

roles/meshconfig.admin

Full access to all mesh configuration resources

meshconfig.*

Mesh Config Viewer

roles/meshconfig.viewer

Read access to mesh configuration

meshconfig.projects.get

Monitoring Admin

roles/monitoring.admin

Provides the same access as the Monitoring Editor role (roles/monitoring.editor).

cloudnotifications.*
monitoring.*
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*

Monitoring AlertPolicy Editor

roles/monitoring.alertPolicyEditor

Read/write access to alerting policies.

monitoring.alertPolicies.*

Monitoring AlertPolicy Viewer

roles/monitoring.alertPolicyViewer

Read-only access to alerting policies.

monitoring.alertPolicies.get
monitoring.alertPolicies.list

Monitoring Dashboard Configuration Editor

roles/monitoring.dashboardEditor

Read/write access to dashboard configurations.

monitoring.dashboards.*

Monitoring Dashboard Configuration Viewer

roles/monitoring.dashboardViewer

Read-only access to dashboard configurations.

monitoring.dashboards.get
monitoring.dashboards.list

Monitoring Editor

roles/monitoring.editor

Provides full access to information about all monitoring data and configurations.

cloudnotifications.*
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.*
monitoring.services.*
monitoring.slos.*
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.*
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*

Monitoring Metric Writer

roles/monitoring.metricWriter

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create

Monitoring Metrics Scopes Admin

roles/monitoring.metricsScopesAdmin

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.*
resourcemanager.projects.get
resourcemanager.projects.list

Monitoring Metrics Scopes Viewer

roles/monitoring.metricsScopesViewer

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get
resourcemanager.projects.list

Monitoring NotificationChannel Editor

roles/monitoring.notificationChannelEditor

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify

Monitoring NotificationChannel Viewer

roles/monitoring.notificationChannelViewer

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list

Monitoring Services Editor

roles/monitoring.servicesEditor

Read/write access to services.

monitoring.services.*
monitoring.slos.*

Monitoring Services Viewer

roles/monitoring.servicesViewer

Read-only access to services.

monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list

Monitoring Uptime Check Configuration Editor

roles/monitoring.uptimeCheckConfigEditor

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

Monitoring Uptime Check Configuration Viewer

roles/monitoring.uptimeCheckConfigViewer

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list

Monitoring Viewer

roles/monitoring.viewer

Provides read-only access to get and list information about all monitoring data and configurations.

cloudnotifications.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

Hub & Spoke Admin

roles/networkconnectivity.hubAdmin

Enables full access to hub and spoke resources.

networkconnectivity.*
resourcemanager.projects.get
resourcemanager.projects.list

Hub & Spoke Viewer

roles/networkconnectivity.hubViewer

Enables read-only access to hub and spoke resources.

networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.locations.*
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
resourcemanager.projects.get
resourcemanager.projects.list

Spoke Admin

roles/networkconnectivity.spokeAdmin

Enables full access to spoke resources and read-only access to hub resources.

networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.locations.*
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list

Network Management Admin

roles/networkmanagement.admin

Full access to Network Management resources.

networkmanagement.*
resourcemanager.projects.get
resourcemanager.projects.list

Network Management Viewer

roles/networkmanagement.viewer

Read-only access to Network Management resources.

networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.locations.*
networkmanagement.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

On-Demand Scanning Admin

roles/ondemandscanning.admin

All permissions for On-Demand Scanning

ondemandscanning.*

Ops Config Monitoring Resource Metadata Viewer

roles/opsconfigmonitoring.resourceMetadata.viewer

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

Ops Config Monitoring Resource Metadata Writer

roles/opsconfigmonitoring.resourceMetadata.writer

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Access Transparency Admin

roles/axt.admin

Enable Access Transparency for Organization

axt.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Organization Policy Administrator

roles/orgpolicy.policyAdmin

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

orgpolicy.*

Organization Policy Viewer

roles/orgpolicy.policyViewer

Provides access to view Organization Policies on resources.

orgpolicy.constraints.*
orgpolicy.policies.list
orgpolicy.policy.get

Advisory Notifications Viewer

roles/advisorynotifications.viewer

Grants view access in Advisory Notifications

advisorynotifications.*
resourcemanager.organizations.get

Anthos Policy Controller Service Agent

roles/anthospolicycontroller.serviceAgent

Gives the Anthos Policy Controller service agent access toCloud Platform resources.

gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list

Autoscaling Metrics Writer

roles/autoscaling.metricsWriter

Access to write metrics for autoscaling site

autoscaling.sites.writeMetrics

Autoscaling Recommendations Reader

roles/autoscaling.recommendationsReader

Access to read recommendations from autoscaling site

autoscaling.sites.readRecommendations

Autoscaling Site Admin

roles/autoscaling.sitesAdmin

Full access to all autoscaling site features

autoscaling.*
resourcemanager.projects.get
resourcemanager.projects.list

Autoscaling State Writer

roles/autoscaling.stateWriter

Access to write state for autoscaling site

autoscaling.sites.writeState

Bare Metal Solution Admin

roles/baremetalsolution.admin

Administrator of Bare Metal Solution resources

baremetalsolution.*
resourcemanager.projects.get
resourcemanager.projects.list

Bare Metal Solution Editor

roles/baremetalsolution.editor

Editor of Bare Metal Solution resources

baremetalsolution.*
resourcemanager.projects.get
resourcemanager.projects.list

Bare Metal Solution Instances Admin

roles/baremetalsolution.instancesadmin

Admin of Bare Metal Solution Instance resources

baremetalsolution.instances.*
resourcemanager.projects.get
resourcemanager.projects.list

Bare Metal Solution Instances Viewer

roles/baremetalsolution.instancesviewer

Viewer of Bare Metal Solution Instance resources

baremetalsolution.instances.get
baremetalsolution.instances.list
resourcemanager.projects.get
resourcemanager.projects.list

Luns Admin

roles/baremetalsolution.lunsadmin

Administrator of Bare Metal Solution Lun resources

baremetalsolution.luns.*

Luns Viewer

roles/baremetalsolution.lunsviewer

Viewer of Bare Metal Solution Lun resources

baremetalsolution.luns.*

Networks Admin

roles/baremetalsolution.networksadmin

Admin of Bare Metal Solution networks resources

baremetalsolution.networks.*

NFS Shares Admin

roles/baremetalsolution.nfssharesadmin

Administrator of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

NFS Shares Editor

roles/baremetalsolution.nfsshareseditor

Editor of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

NFS Shares Viewer

roles/baremetalsolution.nfssharesviewer

Viewer of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list

Bare Metal Solution Storage Admin

roles/baremetalsolution.storageadmin

Administrator of Bare Metal Solution storage resources

baremetalsolution.luns.*
baremetalsolution.nfsshares.*
baremetalsolution.snapshotschedulepolicies.*
baremetalsolution.volumes.*
baremetalsolution.volumesnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list

Bare Metal Solution Viewer

roles/baremetalsolution.viewer

Viewer of Bare Metal Solution resources

baremetalsolution.instances.get
baremetalsolution.instances.list
baremetalsolution.luns.*
baremetalsolution.networks.get
baremetalsolution.networks.list
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.snapshotschedulepolicies.get
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list

Volume Admin

roles/baremetalsolution.volumesadmin

Administrator of Bare Metal Solution volume resources

baremetalsolution.volumes.*

Volumes Editor

roles/baremetalsolution.volumeseditor

Editor of Bare Metal Solution volumes resources

baremetalsolution.volumes.*

Volumes Viewer

roles/baremetalsolution.volumessviewer

Viewer of Bare Metal Solution volumes resources

baremetalsolution.volumes.get
baremetalsolution.volumes.list

MigrationWorkflow Editor

roles/bigquerymigration.editor

Editor of EDW migration workflows.

bigquerymigration.locations.*
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.update

Task Orchestrator

roles/bigquerymigration.orchestrator

Orchestrator of EDW migration tasks.

bigquerymigration.subtasks.create
bigquerymigration.taskTypes.*
bigquerymigration.workflows.orchestrateTask
bigquerymigration.workflows.writeLogs
storage.objects.list

Migration Translation User

roles/bigquerymigration.translationUser

User of EDW migration SQL translation service.

bigquerymigration.translation.*

MigrationWorkflow Viewer

roles/bigquerymigration.viewer

Viewer of EDW migration MigrationWorkflow.

bigquerymigration.locations.*
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.workflows.get
bigquerymigration.workflows.list

Task Worker

roles/bigquerymigration.worker

Worker that executes EDW migration subtasks.

bigquerymigration.subtaskTypes.*
bigquerymigration.subtasks.executeTask
bigquerymigration.workflows.writeLogs
storage.objects.create
storage.objects.get
storage.objects.list

Chronicle Service Admin

roles/chroniclesm.admin

Admins can view and modify Chronicle service details.

chroniclesm.*

Chronicle Service Viewer

roles/chroniclesm.viewer

Viewers can see Chronicle service details but not change them.

chroniclesm.gcpAssociations.get
chroniclesm.gcpSettings.get

Contact Center AI Insights editor

roles/contactcenterinsights.editor

Grants read and write access to all Contact Center AI Insights resources.

contactcenterinsights.*

Contact Center AI Insights viewer

roles/contactcenterinsights.viewer

Grants read access to all Contact Center AI Insights resources.

contactcenterinsights.analyses.get
contactcenterinsights.analyses.list
contactcenterinsights.conversations.get
contactcenterinsights.conversations.list
contactcenterinsights.issueModels.get
contactcenterinsights.issueModels.list
contactcenterinsights.issues.get
contactcenterinsights.issues.list
contactcenterinsights.operations.*
contactcenterinsights.phraseMatchers.get
contactcenterinsights.phraseMatchers.list
contactcenterinsights.settings.get

Content Warehouse Admin

roles/contentwarehouse.admin

Grants full access to all the resources in Content Warehouse

contentwarehouse.documentSchemas.*
contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.setIamPolicy
contentwarehouse.documents.update
contentwarehouse.locations.*
contentwarehouse.rawDocuments.*
contentwarehouse.ruleSets.*
contentwarehouse.synonymSets.*
resourcemanager.projects.get
resourcemanager.projects.list

Content Warehouse document creator

roles/contentwarehouse.documentCreator

Grants access to create document in Content Warehouse

contentwarehouse.documentSchemas.get
contentwarehouse.documentSchemas.list
contentwarehouse.documents.create
resourcemanager.projects.get
resourcemanager.projects.list

Content Warehouse Document Editor

roles/contentwarehouse.documentEditor

Grants edit access to document resource in Content Warehouse

contentwarehouse.documentSchemas.get
contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.setIamPolicy
contentwarehouse.documents.update
contentwarehouse.rawDocuments.*
resourcemanager.projects.get
resourcemanager.projects.list

Content Warehouse document owner

roles/contentwarehouse.documentOwner

Grants editor access to all owned documents in Content Warehouse

contentwarehouse.documents.enableOwnership
resourcemanager.projects.get
resourcemanager.projects.list

Content Warehouse document schema viewer

roles/contentwarehouse.documentSchemaViewer

Grants access to view the document schemas in Content Warehouse

contentwarehouse.documentSchemas.get
contentwarehouse.documentSchemas.list
resourcemanager.projects.get
resourcemanager.projects.list

Content Warehouse Viewer

roles/contentwarehouse.documentViewer

Grants access to view all the resources in Content Warehouse

contentwarehouse.documentSchemas.get
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.rawDocuments.download
resourcemanager.projects.get
resourcemanager.projects.list

Data Processing Controls Resource Admin

roles/dataprocessing.admin

Data processing controls admin who can fully manage data processing controls settings and view all datasource data.

billing.accounts.get
billing.accounts.list
dataprocessing.*

Data Processing Controls Data Source Manager

roles/dataprocessing.dataSourceManager

Data processing controls data source manager who can get, list, and update the underlying data.

dataprocessing.datasources.list
dataprocessing.datasources.update

Early Access Center Administrator

roles/earlyaccesscenter.admin

Grants full access to the Early Access Center, including access to all DATA_READ and DATA_WRITE permissions. Including the ability to enroll into Early Access Campaigns.

earlyaccesscenter.*

Early Access Center Viewer

roles/earlyaccesscenter.viewer

Grants view access to the Early Access Center, including access to all DATA_READ but no DATA_WRITE permissions.

earlyaccesscenter.campaigns.get
earlyaccesscenter.campaigns.list
earlyaccesscenter.customerAllowlists.*

Essential Contacts Admin

roles/essentialcontacts.admin

Full access to all essential contacts

essentialcontacts.*

Essential Contacts Viewer

roles/essentialcontacts.viewer

Viewer for all essential contacts

essentialcontacts.contacts.get
essentialcontacts.contacts.list

Firebase Cloud Messaging API Admin

roles/firebasecloudmessaging.admin

Full read/write access to Firebase Cloud Messaging API resources.

cloudmessaging.*
fcmdata.*
resourcemanager.projects.get
resourcemanager.projects.list

Firebase Crash Symbol Uploader

roles/firebasecrash.symbolMappingsAdmin

Full read/write access to symbol mapping file resources for Firebase Crash Reporting.

firebase.clients.get
firebase.clients.list
resourcemanager.projects.get

Identity Platform Admin

roles/identityplatform.admin

Full access to Identity Platform resources.

firebaseauth.*

Identity Platform Viewer

roles/identityplatform.viewer

Read access to Identity Platform resources.

firebaseauth.configs.get
firebaseauth.users.get

Identity Toolkit Admin

roles/identitytoolkit.admin

Full access to Identity Toolkit resources.

firebaseauth.*

Identity Toolkit Viewer

roles/identitytoolkit.viewer

Read access to Identity Toolkit resources.

firebaseauth.configs.get
firebaseauth.users.get

Apigee Integration Admin

roles/integrations.apigeeIntegrationAdminRole

A user that has full access to all Apigee integrations.

integrations.apigeeAuthConfigs.*
integrations.apigeeCertificates.*
integrations.apigeeExecutions.*
integrations.apigeeIntegrationVers.*
integrations.apigeeIntegrations.*
integrations.apigeeSfdcChannels.*
integrations.apigeeSfdcInstances.*
integrations.apigeeSuspensions.*
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Integration Deployer

roles/integrations.apigeeIntegrationDeployerRole

A developer that can deploy/undeploy Apigee integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrations.list
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Integration Editor

roles/integrations.apigeeIntegrationEditorRole

A developer that can list, create and update Apigee integrations.

integrations.apigeeAuthConfigs.create
integrations.apigeeAuthConfigs.get
integrations.apigeeAuthConfigs.list
integrations.apigeeAuthConfigs.update
integrations.apigeeCertificates.create
integrations.apigeeCertificates.get
integrations.apigeeCertificates.list
integrations.apigeeCertificates.update
integrations.apigeeExecutions.*
integrations.apigeeIntegrationVers.*
integrations.apigeeIntegrations.*
integrations.apigeeSfdcChannels.create
integrations.apigeeSfdcChannels.get
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcChannels.update
integrations.apigeeSfdcInstances.create
integrations.apigeeSfdcInstances.get
integrations.apigeeSfdcInstances.list
integrations.apigeeSfdcInstances.update
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Integration Invoker

roles/integrations.apigeeIntegrationInvokerRole

A role that can invoke Apigee integrations.

integrations.apigeeExecutions.*
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrations.*
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Integration Viewer

roles/integrations.apigeeIntegrationsViewer

A developer that can list and view Apigee integrations.

integrations.apigeeAuthConfigs.list
integrations.apigeeCertificates.list
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrations.list
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcInstances.list
resourcemanager.projects.get
resourcemanager.projects.list

Apigee Integration Approver

roles/integrations.apigeeSuspensionResolver

A role that can approve / reject Apigee integrations that contain a suspension/wait task.

integrations.apigeeSuspensions.*
resourcemanager.projects.get
resourcemanager.projects.list

Security Integration Admin

roles/integrations.securityIntegrationAdmin

A user that has full access to all Security integrations.

integrations.securityAuthConfigs.*
integrations.securityExecutions.*
integrations.securityIntegTempVers.*
integrations.securityIntegrationVers.*
integrations.securityIntegrations.*

OAuth Config Editor

roles/oauthconfig.editor

Read/write access to OAuth config resources

clientauthconfig.*
oauthconfig.*

OAuth Config Viewer

roles/oauthconfig.viewer

Read-only access to OAuth config resources

clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.clients.get
clientauthconfig.clients.list
oauthconfig.clientpolicy.*
oauthconfig.testusers.get
oauthconfig.verification.get

Payments Reseller Admin

roles/paymentsresellersubscription.partnerAdmin

Full access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.*
resourcemanager.projects.get
resourcemanager.projects.list

Payments Reseller Viewer

roles/paymentsresellersubscription.partnerViewer

Read access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.products.*
paymentsresellersubscription.promotions.*
paymentsresellersubscription.subscriptions.get
resourcemanager.projects.get
resourcemanager.projects.list

Payments Reseller Products Viewer

roles/paymentsresellersubscription.productViewer

Read access to Payments Reseller Product resource

paymentsresellersubscription.products.*
resourcemanager.projects.get
resourcemanager.projects.list

Payments Reseller Promotions Viewer

roles/paymentsresellersubscription.promotionViewer

Read access to Payments Reseller Promotion resource

paymentsresellersubscription.promotions.*
resourcemanager.projects.get
resourcemanager.projects.list

Payments Reseller Subscriptions Editor

roles/paymentsresellersubscription.subscriptionEditor

Write access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list

Payments Reseller Subscriptions Viewer

roles/paymentsresellersubscription.subscriptionViewer

Read access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.get
resourcemanager.projects.get
resourcemanager.projects.list

Activity Analysis Viewer

roles/policyanalyzer.activityAnalysisViewer

Viewer user that can read all activity analysis.

policyanalyzer.*

Simulator Admin

roles/policysimulator.admin

Admin user that can run and access replays.

policysimulator.*

Recommendations Exporter

roles/recommender.exporter

Exporter of Recommendations

recommender.resources.*

Remote Build Execution Action Cache Writer

roles/remotebuildexecution.actionCacheWriter

Remote Build Execution Action Cache Writer

remotebuildexecution.actions.set
remotebuildexecution.blobs.create

Remote Build Execution Artifact Admin

roles/remotebuildexecution.artifactAdmin

Remote Build Execution Artifact Admin

remotebuildexecution.actions.create
remotebuildexecution.actions.delete
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*

Remote Build Execution Artifact Creator

roles/remotebuildexecution.artifactCreator

Remote Build Execution Artifact Creator

remotebuildexecution.actions.create
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*

Remote Build Execution Artifact Viewer

roles/remotebuildexecution.artifactViewer

Remote Build Execution Artifact Viewer

remotebuildexecution.actions.get
remotebuildexecution.blobs.get
remotebuildexecution.logstreams.get

Remote Build Execution Configuration Admin

roles/remotebuildexecution.configurationAdmin

Remote Build Execution Configuration Admin

remotebuildexecution.instances.*
remotebuildexecution.workerpools.*

Remote Build Execution Configuration Viewer

roles/remotebuildexecution.configurationViewer

Remote Build Execution Configuration Viewer

remotebuildexecution.instances.get
remotebuildexecution.instances.list
remotebuildexecution.workerpools.get
remotebuildexecution.workerpools.list

Remote Build Execution Logstream Writer

roles/remotebuildexecution.logstreamWriter

Remote Build Execution Logstream Writer

remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update

Remote Build Execution Reservation Admin

roles/remotebuildexecution.reservationAdmin

Remote Build Execution Reservation Admin

remotebuildexecution.actions.create
remotebuildexecution.actions.delete
remotebuildexecution.actions.get

Remote Build Execution Worker

roles/remotebuildexecution.worker

Remote Build Execution Worker

remotebuildexecution.actions.update
remotebuildexecution.blobs.*
remotebuildexecution.botsessions.*
remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update

Retail Admin

roles/retail.admin

Full access to Retail api resources.

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.delete
automlrecommendations.catalogItems.*
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.*
automlrecommendations.placements.*
automlrecommendations.recommendations.*
retail.*

Retail Editor

roles/retail.editor

Full access to Retail api resources except purge, rejoin, and setSponsorship.

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.delete
automlrecommendations.catalogItems.*
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.placements.*
automlrecommendations.recommendations.*
retail.attributesConfigs.addCatalogAttribute
retail.attributesConfigs.exportCatalogAttributes
retail.attributesConfigs.get
retail.attributesConfigs.importCatalogAttributes
retail.attributesConfigs.replaceCatalogAttribute
retail.attributesConfigs.update
retail.catalogs.*
retail.controls.*
retail.models.*
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.*
retail.servingConfigs.*
retail.userEvents.create
retail.userEvents.import

Retail Viewer

roles/retail.viewer

Grants access to read all resources in Retail.

automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.*
automlrecommendations.events.list
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.list
retail.attributesConfigs.exportCatalogAttributes
retail.attributesConfigs.get
retail.catalogs.completeQuery
retail.catalogs.list
retail.controls.export
retail.controls.get
retail.controls.list
retail.models.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.*
retail.servingConfigs.get
retail.servingConfigs.list

Cloud RuntimeConfig Admin

roles/runtimeconfig.admin

Full access to RuntimeConfig resources.

runtimeconfig.*

Cloud Speech Administrator

roles/speech.admin

Grants full access to all resources in Speech-to-text

speech.*

Cloud Speech Client

roles/speech.client

Grants access to the recognition APIs.

speech.adaptations.*

Cloud Speech Editor

roles/speech.editor

Grants access to edit resources in Speech-to-text

speech.*

Subscribe with Google Developer

roles/subscribewithgoogledeveloper.developer

Access DevTools for Subscribe with Google

resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.*

Traffic Director Client

roles/trafficdirector.client

Fetch service configurations and report metrics.

trafficdirector.*

Translation Hub Admin

roles/translationhub.admin

Admin of Translation Hub

automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.glossaries.create
cloudtranslate.glossaries.delete
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.*

Translation Hub Portal User

roles/translationhub.portalUser

Portal user of Translation Hub

automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.portals.get
translationhub.portals.list

Visual Inspection AI Solution Editor

roles/visualinspection.editor

Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics

visualinspection.annotationSets.*
visualinspection.annotationSpecs.*
visualinspection.annotations.*
visualinspection.datasets.*
visualinspection.images.*
visualinspection.locations.get
visualinspection.locations.list
visualinspection.modelEvaluations.*
visualinspection.models.*
visualinspection.modules.*
visualinspection.operations.*
visualinspection.solutionArtifacts.*
visualinspection.solutions.*

Visual Inspection AI Usage Metrics Reporter

roles/visualinspection.usageMetricsReporter

ReportUsageMetric access to Visual Inspection AI Service

visualinspection.locations.reportUsageMetrics

Visual Inspection AI Viewer

roles/visualinspection.viewer

Read access to Visual Inspection AI resources

visualinspection.annotationSets.get
visualinspection.annotationSets.list
visualinspection.annotationSpecs.get
visualinspection.annotationSpecs.list
visualinspection.annotations.get
visualinspection.annotations.list
visualinspection.datasets.export
visualinspection.datasets.get
visualinspection.datasets.list
visualinspection.images.get
visualinspection.images.list
visualinspection.locations.get
visualinspection.locations.list
visualinspection.modelEvaluations.*
visualinspection.models.get
visualinspection.models.list
visualinspection.modules.get
visualinspection.modules.list
visualinspection.operations.*
visualinspection.solutionArtifacts.get
visualinspection.solutionArtifacts.list
visualinspection.solutionArtifacts.predict
visualinspection.solutions.get
visualinspection.solutions.list

Browser

roles/browser

Read access to browse the hierarchy for a project, including the folder, organization, and IAM policy. This role doesn't include permission to view resources in the project.

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Beacon Attachment Editor

roles/proximitybeacon.attachmentEditor

Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.

proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.namespaces.list
resourcemanager.projects.get
resourcemanager.projects.list

Beacon Attachment Publisher

roles/proximitybeacon.attachmentPublisher

Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.

proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list

Beacon Attachment Viewer

roles/proximitybeacon.attachmentViewer

Can view all attachments under a namespace; no beacon or namespace permissions.

proximitybeacon.attachments.get
proximitybeacon.attachments.list
resourcemanager.projects.get
resourcemanager.projects.list

Beacon Editor

roles/proximitybeacon.beaconEditor

Necessary access to register, modify, and view beacons; no attachment or namespace permissions.

proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list

Pub/Sub Admin

roles/pubsub.admin

Provides full access to topics and subscriptions.

pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Pub/Sub Editor

roles/pubsub.editor

Provides access to modify topics and subscriptions, and access to publish and consume messages.

pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Pub/Sub Publisher

roles/pubsub.publisher

Provides access to publish messages to a topic.

pubsub.topics.publish

Pub/Sub Subscriber

roles/pubsub.subscriber

Provides access to consume messages from a subscription and to attach subscriptions to a topic.

pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription

Pub/Sub Viewer

roles/pubsub.viewer

Provides access to view topics and subscriptions.

pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Pub/Sub Lite Admin

roles/pubsublite.admin

Full access to topics, subscriptions and reservations.

pubsublite.*

Pub/Sub Lite Editor

roles/pubsublite.editor

Modify topics, subscriptions and reservations, publish and consume messages.

pubsublite.*

Pub/Sub Lite Publisher

roles/pubsublite.publisher

Publish messages to a topic.

pubsublite.topics.getPartitions
pubsublite.topics.publish

Pub/Sub Lite Subscriber

roles/pubsublite.subscriber

Subscribe to and read messages from a topic.

pubsublite.operations.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.seek
pubsublite.subscriptions.setCursor
pubsublite.subscriptions.subscribe
pubsublite.topics.computeHeadCursor
pubsublite.topics.computeMessageStats
pubsublite.topics.computeTimeCursor
pubsublite.topics.getPartitions
pubsublite.topics.subscribe

Pub/Sub Lite Viewer

roles/pubsublite.viewer

View topics, subscriptions and reservations.

pubsublite.operations.*
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.reservations.listTopics
pubsublite.subscriptions.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.list
pubsublite.topics.get
pubsublite.topics.getPartitions
pubsublite.topics.list
pubsublite.topics.listSubscriptions

reCAPTCHA Enterprise Admin

roles/recaptchaenterprise.admin

Access to view and modify reCAPTCHA Enterprise keys

monitoring.timeSeries.list
recaptchaenterprise.keys.*
recaptchaenterprise.metrics.*
recaptchaenterprise.projectmetadata.*
resourcemanager.projects.get
resourcemanager.projects.list

reCAPTCHA Enterprise Agent

roles/recaptchaenterprise.agent

Access to create and annotate reCAPTCHA Enterprise assessments

recaptchaenterprise.assessments.*
recaptchaenterprise.relatedaccountgroupmemberships.*
recaptchaenterprise.relatedaccountgroups.*
resourcemanager.projects.get
resourcemanager.projects.list

reCAPTCHA Enterprise Viewer

roles/recaptchaenterprise.viewer

Access to view reCAPTCHA Enterprise keys and metrics

monitoring.timeSeries.list
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
recaptchaenterprise.metrics.*
recaptchaenterprise.projectmetadata.get
resourcemanager.projects.get
resourcemanager.projects.list

Recommendations AI Admin

roles/automlrecommendations.admin

Full access to all Recommendations AI resources.

automlrecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.*
retail.userEvents.*
serviceusage.services.get
serviceusage.services.list

Recommendations AI Admin Viewer

roles/automlrecommendations.adminViewer

Viewer of all Recommendations AI resources.

automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.*
automlrecommendations.events.list
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.list
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.*
serviceusage.services.get
serviceusage.services.list

Recommendations AI Editor

roles/automlrecommendations.editor

Editor of all Recommendations AI resources.

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.*
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.*
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.placements.create
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.*
retail.userEvents.create
retail.userEvents.import
serviceusage.services.get
serviceusage.services.list

Recommendations AI Viewer

roles/automlrecommendations.viewer

Viewer of all Recommendations AI resources except apiKeys. To view all resources, including apiKeys, grant the Recommendations AI Admin Viewer role (roles/automlrecommendations.adminViewer).

automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.*
automlrecommendations.events.list
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.list
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.*
serviceusage.services.get
serviceusage.services.list

BigQuery Slot Recommender Admin

roles/recommender.bigQueryCapacityCommitmentsAdmin

Admin of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.*
recommender.bigqueryCapacityCommitmentsRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Recommender Billing Account Admin

roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin

Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.

billing.accounts.get
billing.accounts.list
recommender.bigqueryCapacityCommitmentsInsights.*
recommender.bigqueryCapacityCommitmentsRecommendations.*

BigQuery Recommender Billing Account Viewer

roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer

Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.

billing.accounts.get
billing.accounts.list
recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list

BigQuery Recommender Project Admin

roles/recommender.bigQueryCapacityCommitmentsProjectAdmin

Project Admin of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.*
recommender.bigqueryCapacityCommitmentsRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Recommender Project Viewer

roles/recommender.bigQueryCapacityCommitmentsProjectViewer

Project Viewer of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

BigQuery Slot Recommender Viewer

roles/recommender.bigQueryCapacityCommitmentsViewer

Viewer of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Billing Account Usage Commitment Recommender Admin

roles/recommender.billingAccountCudAdmin

Admin of Billing Account Usage Commitment Recommender.

billing.accounts.get
billing.accounts.list
recommender.commitmentUtilizationInsights.*
recommender.usageCommitmentRecommendations.*

Billing Account Usage Commitment Recommender Viewer

roles/recommender.billingAccountCudViewer

Viewer of Billing Account Usage Commitment Recommender.

billing.accounts.get
billing.accounts.list
recommender.commitmentUtilizationInsights.get
recommender.commitmentUtilizationInsights.list
recommender.usageCommitmentRecommendations.get
recommender.usageCommitmentRecommendations.list

Cloud Asset Insights Admin

roles/recommender.cloudAssetInsightsAdmin

Admin of all Cloud Asset insights.

recommender.cloudAssetInsights.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Asset Insights Viewer

roles/recommender.cloudAssetInsightsViewer

Viewer of all Cloud Asset insights.

recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud SQL Recommender Admin

roles/recommender.cloudsqlAdmin

Admin of Cloud SQL insights and recommendations.

recommender.cloudsqlIdleInstanceRecommendations.*
recommender.cloudsqlInstanceActivityInsights.*
recommender.cloudsqlInstanceCpuUsageInsights.*
recommender.cloudsqlInstanceDiskUsageTrendInsights.*
recommender.cloudsqlInstanceMemoryUsageInsights.*
recommender.cloudsqlInstanceOutOfDiskRecommendations.*
recommender.cloudsqlOverprovisionedInstanceRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud SQL Recommender Viewer

roles/recommender.cloudsqlViewer

Viewer of Cloud SQL insights and recommendations.

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
resourcemanager.projects.get
resourcemanager.projects.list

Compute Recommender Admin

roles/recommender.computeAdmin

Admin of compute recommendations.

recommender.computeAddressIdleResourceInsights.*
recommender.computeAddressIdleResourceRecommendations.*
recommender.computeDiskIdleResourceInsights.*
recommender.computeDiskIdleResourceRecommendations.*
recommender.computeImageIdleResourceInsights.*
recommender.computeImageIdleResourceRecommendations.*
recommender.computeInstanceGroupManagerMachineTypeRecommendations.*
recommender.computeInstanceIdleResourceRecommendations.*
recommender.computeInstanceMachineTypeRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Compute Recommender Viewer

roles/recommender.computeViewer

Viewer of compute recommendations.

recommender.computeAddressIdleResourceInsights.get
recommender.computeAddressIdleResourceInsights.list
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeDiskIdleResourceInsights.get
recommender.computeDiskIdleResourceInsights.list
recommender.computeDiskIdleResourceRecommendations.get
recommender.computeDiskIdleResourceRecommendations.list
recommender.computeImageIdleResourceInsights.get
recommender.computeImageIdleResourceInsights.list
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.get
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.get
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.get
recommender.computeInstanceMachineTypeRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Dataflow Diagnostics Admin

roles/recommender.dataflowDiagnosticsAdmin

Admin of Diagnostics recommendations.

recommender.dataflowDiagnosticsInsights.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Dataflow Diagnostics Viewer

roles/recommender.dataflowDiagnosticsViewer

Viewer of Diagnostics recommendations.

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Error Reporting Recommender Admin

roles/recommender.errorReportingAdmin

Admin of Error Reporting Insights and Recommendations.

recommender.errorReportingInsights.*
recommender.errorReportingRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Error Reporting Recommender Viewer

roles/recommender.errorReportingViewer

Viewer of Error Reporting Insights and Recommendations.

recommender.errorReportingInsights.get
recommender.errorReportingInsights.list
recommender.errorReportingRecommendations.get
recommender.errorReportingRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Firewall Recommender Admin

roles/recommender.firewallAdmin

Admin of Firewall insights and recommendations.

monitoring.timeSeries.list
recommender.computeFirewallInsights.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Firewall Recommender Viewer

roles/recommender.firewallViewer

Viewer of Firewall insights and recommendations.

monitoring.timeSeries.list
recommender.computeFirewallInsights.get
recommender.computeFirewallInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

IAM Recommender Admin

roles/recommender.iamAdmin

Admin of IAM recommendations.

recommender.iamPolicyInsights.*
recommender.iamPolicyLateralMovementInsights.*
recommender.iamPolicyRecommendations.*
recommender.iamServiceAccountInsights.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

IAM Recommender Viewer

roles/recommender.iamViewer

Viewer of IAM recommendations.

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyLateralMovementInsights.get
recommender.iamPolicyLateralMovementInsights.list
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamServiceAccountInsights.get
recommender.iamServiceAccountInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Product Suggestion Recommenders Admin

roles/recommender.productSuggestionAdmin

Admin of all Product Suggestion insights and recommendations.

recommender.locations.*
recommender.loggingProductSuggestionContainerInsights.*
recommender.loggingProductSuggestionContainerRecommendations.*
recommender.monitoringProductSuggestionComputeInsights.*
recommender.monitoringProductSuggestionComputeRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list

Product Suggestion Recommenders Viewer

roles/recommender.productSuggestionViewer

Viewer of all Product Suggestion insights and recommendations.

recommender.locations.*
recommender.loggingProductSuggestionContainerInsights.get
recommender.loggingProductSuggestionContainerInsights.list
recommender.loggingProductSuggestionContainerRecommendations.get
recommender.loggingProductSuggestionContainerRecommendations.list
recommender.monitoringProductSuggestionComputeInsights.get
recommender.monitoringProductSuggestionComputeInsights.list
recommender.monitoringProductSuggestionComputeRecommendations.get
recommender.monitoringProductSuggestionComputeRecommendations.list
resourcemanager.projects.get
resourcemanager.projects.list

Project Usage Commitment Recommender Admin

roles/recommender.projectCudAdmin

Admin of Project Usage Commitment Recommender.

recommender.commitmentUtilizationInsights.*
recommender.locations.*
recommender.usageCommitmentRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list

Project Usage Commitment Recommender Viewer

roles/recommender.projectCudViewer

Viewer of Project Usage Commitment Recommender.

recommender.commitmentUtilizationInsights.get
recommender.commitmentUtilizationInsights.list
recommender.locations.*
recommender.usageCommitmentRecommendations.get
recommender.usageCommitmentRecommendations.list
resourcemanager.projects.get
resourcemanager.projects.list

Project Utilization Recommender Admin

roles/recommender.projectUtilAdmin

Admin of Project Utilization insights and recommendations.

recommender.resourcemanagerProjectUtilizationInsights.*
recommender.resourcemanagerProjectUtilizationRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list

Project Utilization Recommender Viewer

roles/recommender.projectUtilViewer

Viewer of Project Utilization insights and recommendations.

recommender.resourcemanagerProjectUtilizationInsights.get
recommender.resourcemanagerProjectUtilizationInsights.list
recommender.resourcemanagerProjectUtilizationRecommendations.get
recommender.resourcemanagerProjectUtilizationRecommendations.list
resourcemanager.projects.get
resourcemanager.projects.list

Folder Admin

roles/resourcemanager.folderAdmin

Provides all available permissions for working with folders.

orgpolicy.constraints.*
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.projects.setIamPolicy

Folder Creator

roles/resourcemanager.folderCreator

Provides permissions needed to browse the hierarchy and create folders.

orgpolicy.constraints.*
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list

Folder Editor

roles/resourcemanager.folderEditor

Provides permission to modify folders as well as to view a folder's IAM policy.

orgpolicy.constraints.*
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.undelete
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list

Folder IAM Admin

roles/resourcemanager.folderIamAdmin

Provides permissions to administer IAM policies on folders.

resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.setIamPolicy

Folder Mover

roles/resourcemanager.folderMover

Provides permission to move projects and folders into and out of a parent organization or folder.

resourcemanager.folders.move
resourcemanager.projects.move

Folder Viewer

roles/resourcemanager.folderViewer

Provides permission to get a folder and list the folders and projects below a resource.

orgpolicy.constraints.*
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list

Project Lien Modifier

roles/resourcemanager.lienModifier

Provides access to modify Liens on projects.

resourcemanager.projects.updateLiens

Organization Administrator

roles/resourcemanager.organizationAdmin

Access to manage IAM policies and view organization policies for organizations, folders, and projects.

orgpolicy.constraints.*
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy

Organization Viewer

roles/resourcemanager.organizationViewer

Provides access to view an organization.

resourcemanager.organizations.get

Project Creator

roles/resourcemanager.projectCreator

Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.

resourcemanager.organizations.get
resourcemanager.projects.create

Project Deleter

roles/resourcemanager.projectDeleter

Provides access to delete Google Cloud projects.

resourcemanager.projects.delete

Project IAM Admin

roles/resourcemanager.projectIamAdmin

Provides permissions to administer IAM policies on projects.

resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy

Project Mover

roles/resourcemanager.projectMover

Provides access to update and move projects.

resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.projects.update

Tag Administrator

roles/resourcemanager.tagAdmin

Access to create, delete, update, and manage access to Tags

resourcemanager.tagHolds.*
resourcemanager.tagKeys.*
resourcemanager.tagValues.*

Tag Hold Administrator

roles/resourcemanager.tagHoldAdmin

Access to create, delete and list TagHolds under a TagValue

resourcemanager.tagHolds.*

Tag User

roles/resourcemanager.tagUser

Access to list Tags and manage their associations with resources

artifactregistry.repositories.createTagBinding
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.listTagBindings
cloudsql.instances.createTagBinding
cloudsql.instances.deleteTagBinding
cloudsql.instances.listTagBindings
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.disks.listTagBindings
compute.images.createTagBinding
compute.images.deleteTagBinding
compute.images.listTagBindings
compute.snapshots.createTagBinding
compute.snapshots.deleteTagBinding
compute.snapshots.listTagBindings
domains.registrations.createTagBinding
domains.registrations.deleteTagBinding
domains.registrations.listTagBindings
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listTagBindings
file.instances.createTagBinding
file.instances.deleteTagBinding
file.instances.listTagBindings
file.snapshots.createTagBinding
file.snapshots.deleteTagBinding
file.snapshots.listTagBindings
managedidentities.domains.createTagBinding
managedidentities.domains.deleteTagBinding
managedidentities.domains.listTagBindings
resourcemanager.hierarchyNodes.*
resourcemanager.projects.get
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValueBindings.*
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.listTagBindings

Tag Viewer

roles/resourcemanager.tagViewer

Access to list Tags and their associations with resources

artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
cloudkms.keyRings.listTagBindings
cloudsql.instances.listTagBindings
compute.disks.listTagBindings
compute.images.listTagBindings
compute.snapshots.listTagBindings
domains.registrations.listTagBindings
file.backups.listTagBindings
file.instances.listTagBindings
file.snapshots.listTagBindings
managedidentities.domains.listTagBindings
resourcemanager.hierarchyNodes.listTagBindings
resourcemanager.tagHolds.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.services.listEffectiveTags
run.services.listTagBindings
storage.buckets.listTagBindings

Resource Settings Administrator

roles/resourcesettings.admin

Provides admin capabilities to set Resource Setting Values on resources.

resourcesettings.*

Resource Settings Viewer

roles/resourcesettings.viewer

Provides capabilities to view Resource Settings and Resource Setting Values on resources.

resourcesettings.settings.get
resourcesettings.settings.list

Risk Manager Admin

roles/riskmanager.admin

Grants all Risk Manager permissions

resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.*

Risk Manager Editor

roles/riskmanager.editor

Access to edit Risk Manager resources

resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.operations.*
riskmanager.policies.*
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.reports.get
riskmanager.reports.list
riskmanager.serviceAccount.*
riskmanager.settings.*

Risk Manager Report Reviewer

roles/riskmanager.reviewer

Access to review Risk Manager reports

resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.operations.get
riskmanager.operations.list
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.review

Risk Manager Viewer

roles/riskmanager.viewer

Access to view Risk Manager resources

resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.operations.get
riskmanager.operations.list
riskmanager.policies.*
riskmanager.reports.get
riskmanager.reports.list
riskmanager.settings.get

Organization Role Administrator

roles/iam.organizationRoleAdmin

Provides access to administer all custom roles in the organization and the projects below it.

iam.roles.*
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Organization Role Viewer

roles/iam.organizationRoleViewer

Provides read access to all custom roles in the organization and the projects below it.

iam.roles.get
iam.roles.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Role Administrator

roles/iam.roleAdmin

Provides access to all custom roles in the project.

iam.roles.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy

Role Viewer

roles/iam.roleViewer

Provides read access to all custom roles in the project.

iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy

Secret Manager Admin

roles/secretmanager.admin

Full access to administer Secret Manager resources.

resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.*

Secret Manager Secret Accessor

roles/secretmanager.secretAccessor

Allows accessing the payload of secrets.

resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.access

Secret Manager Secret Version Adder

roles/secretmanager.secretVersionAdder

Allows adding versions to existing secrets.

resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add

Secret Manager Secret Version Manager

roles/secretmanager.secretVersionManager

Allows creating and managing versions of existing secrets.

resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add
secretmanager.versions.destroy
secretmanager.versions.disable
secretmanager.versions.enable
secretmanager.versions.get
secretmanager.versions.list

Secret Manager Viewer

roles/secretmanager.viewer

Allows viewing metadata of all Secret Manager resources

resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.locations.*
secretmanager.secrets.get
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.versions.get
secretmanager.versions.list

Security Center Admin

roles/securitycenter.admin

Admin(super user) access to security center

appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Security Center Admin Editor

roles/securitycenter.adminEditor

Admin Read-write access to security center

appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.bigQueryExports.*
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.muteconfigs.*
securitycenter.notificationconfig.*
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Security Center Admin Viewer

roles/securitycenter.adminViewer

Admin Read access to security center

cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Security Center Asset Security Marks Writer

roles/securitycenter.assetSecurityMarksWriter

Write access to asset security marks

securitycenter.assetsecuritymarks.*
securitycenter.userinterfacemetadata.*

Security Center Assets Discovery Runner

roles/securitycenter.assetsDiscoveryRunner

Run asset discovery access to assets

securitycenter.assets.runDiscovery
securitycenter.userinterfacemetadata.*

Security Center Assets Viewer

roles/securitycenter.assetsViewer

Read access to assets

resourcemanager.folders.get
resourcemanager.organizations.get
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.userinterfacemetadata.*

Security Center BigQuery Exports Editor

roles/securitycenter.bigQueryExportsEditor

Read-Write access to security center BigQuery Exports

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.*

Security Center BigQuery Exports Viewer

roles/securitycenter.bigQueryExportsViewer

Read access to security center BigQuery Exports

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list

Security Center External Systems Editor

roles/securitycenter.externalSystemsEditor

Write access to security center external systems

securitycenter.findingexternalsystems.*

Security Center Finding Security Marks Writer

roles/securitycenter.findingSecurityMarksWriter

Write access to finding security marks

securitycenter.findingsecuritymarks.*
securitycenter.userinterfacemetadata.*

Security Center Findings Bulk Mute Editor

roles/securitycenter.findingsBulkMuteEditor

Ability to mute findings in bulk

securitycenter.findings.bulkMuteUpdate

Security Center Findings Editor

roles/securitycenter.findingsEditor

Read-write access to findings

resourcemanager.folders.get
resourcemanager.organizations.get
resourcemanager.projects.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter.userinterfacemetadata.*

Security Center Findings Mute Setter

roles/securitycenter.findingsMuteSetter

Set mute access to findings

securitycenter.findings.setMute

Security Center Findings State Setter

roles/securitycenter.findingsStateSetter

Set state access to findings

securitycenter.findings.setState
securitycenter.userinterfacemetadata.*

Security Center Findings Viewer

roles/securitycenter.findingsViewer

Read access to findings

resourcemanager.folders.get
resourcemanager.organizations.get
resourcemanager.projects.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
securitycenter.userinterfacemetadata.*

Security Center Findings Workflow State Setter

roles/securitycenter.findingsWorkflowStateSetter

Set workflow state access to findings

securitycenter.findings.setWorkflowState
securitycenter.userinterfacemetadata.*

Security Center Mute Configurations Editor

roles/securitycenter.muteConfigsEditor

Read-Write access to security center mute configurations

securitycenter.muteconfigs.*

Security Center Mute Configurations Viewer

roles/securitycenter.muteConfigsViewer

Read access to security center mute configurations

securitycenter.muteconfigs.get
securitycenter.muteconfigs.list

Security Center Notification Configurations Editor

roles/securitycenter.notificationConfigEditor

Write access to notification configurations

securitycenter.notificationconfig.*
securitycenter.userinterfacemetadata.*

Security Center Notification Configurations Viewer

roles/securitycenter.notificationConfigViewer

Read access to notification configurations

securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.userinterfacemetadata.*

Security Center Settings Admin

roles/securitycenter.settingsAdmin

Admin(super user) access to security center settings

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.*
securitycenter.containerthreatdetectionsettings.*
securitycenter.eventthreatdetectionsettings.*
securitycenter.muteconfigs.*
securitycenter.notificationconfig.*
securitycenter.organizationsettings.*
securitycenter.securitycentersettings.*
securitycenter.securityhealthanalyticssettings.*
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.*
securitycenter.websecurityscannersettings.*

Security Center Settings Editor

roles/securitycenter.settingsEditor

Read-Write access to security center settings

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.*
securitycenter.containerthreatdetectionsettings.*
securitycenter.eventthreatdetectionsettings.*
securitycenter.muteconfigs.*
securitycenter.notificationconfig.*
securitycenter.organizationsettings.*
securitycenter.securitycentersettings.*
securitycenter.securityhealthanalyticssettings.*
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.*
securitycenter.websecurityscannersettings.*

Security Center Settings Viewer

roles/securitycenter.settingsViewer

Read access to security center settings

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get

Security Center Sources Admin

roles/securitycenter.sourcesAdmin

Admin access to sources

resourcemanager.organizations.get
securitycenter.sources.*
securitycenter.userinterfacemetadata.*

Security Center Sources Editor

roles/securitycenter.sourcesEditor

Read-write access to sources

resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.userinterfacemetadata.*

Security Center Sources Viewer

roles/securitycenter.sourcesViewer

Read access to sources

resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.userinterfacemetadata.*

Serverless VPC Access Admin

roles/vpcaccess.admin

Full access to all Serverless VPC Access resources

resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.*

Serverless VPC Access User

roles/vpcaccess.user

User of Serverless VPC Access connectors

compute.networks.access
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.connectors.use
vpcaccess.locations.*
vpcaccess.operations.*

Serverless VPC Access Viewer

roles/vpcaccess.viewer

Viewer of all Serverless VPC Access resources

resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.*

Service Account Admin

roles/iam.serviceAccountAdmin

Create and manage service accounts.

iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.undelete
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list

Create Service Accounts

roles/iam.serviceAccountCreator

Access to create service accounts.

iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Delete Service Accounts

roles/iam.serviceAccountDeleter

Access to delete service accounts.

iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Service Account Key Admin

roles/iam.serviceAccountKeyAdmin

Create and manage (and rotate) service account keys.

iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Service Account Token Creator

roles/iam.serviceAccountTokenCreator

Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).

iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list

Service Account User

roles/iam.serviceAccountUser

Run operations as the service account.

iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

View Service Accounts

roles/iam.serviceAccountViewer

Read access to service accounts, metadata, and keys.

iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Workload Identity User

roles/iam.workloadIdentityUser

Impersonate service accounts from GKE Workloads

iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.list

Vertex AI Custom Code Service Agent

roles/aiplatform.customCodeServiceAgent

Gives Vertex AI Custom Code the proper permissions.

aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.artifacts.*
aiplatform.batchPredictionJobs.*
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasets.*
aiplatform.deploymentResourcePools.*
aiplatform.edgeDeploymentJobs.*
aiplatform.edgeDeviceDebugInfo.*
aiplatform.edgeDevices.*
aiplatform.endpoints.*
aiplatform.entityTypes.*
aiplatform.executions.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.humanInTheLoops.*
aiplatform.hyperparameterTuningJobs.*
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.modelDeploymentMonitoringJobs.*
aiplatform.modelEvaluationSlices.*
aiplatform.modelEvaluations.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.operations.*
aiplatform.pipelineJobs.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.tensorboardExperiments.*
aiplatform.tensorboardRuns.*
aiplatform.tensorboardTimeSeries.*
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.tags.get
artifactregistry.versions.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Vertex AI Service Agent

roles/aiplatform.serviceAgent

Gives Vertex AI the permissions it needs to function.

aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.artifacts.*
aiplatform.batchPredictionJobs.*
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasets.*
aiplatform.deploymentResourcePools.*
aiplatform.edgeDeploymentJobs.*
aiplatform.edgeDeviceDebugInfo.*
aiplatform.edgeDevices.*
aiplatform.endpoints.*
aiplatform.entityTypes.*
aiplatform.executions.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.humanInTheLoops.*
aiplatform.hyperparameterTuningJobs.*
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.modelDeploymentMonitoringJobs.*
aiplatform.modelEvaluationSlices.*
aiplatform.modelEvaluations.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.operations.*
aiplatform.pipelineJobs.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.tensorboardExperiments.*
aiplatform.tensorboardRuns.*
aiplatform.tensorboardTimeSeries.*
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
artifactregistry.repositories.create
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.get
artifactregistry.versions.get
automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.tableSpecs.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.export
bigquery.readsessions.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
compute.machineTypes.get
dataflow.jobs.*
dataflow.messages.*
dataflow.metrics.*
dataflow.snapshots.*
datalabeling.annotateddatasets.get
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.operations.get
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
logging.logEntries.create
ml.models.list
ml.operations.get
ml.versions.get
ml.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Anthos Service Agent

roles/anthos.serviceAgent

Gives the Anthos service agent access to Google Cloud resources.

gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceusage.services.get
serviceusage.services.list

Anthos Audit Service Agent

roles/anthosaudit.serviceAgent

Gives the Anthos Audit service agent access to Cloud Platform resources.

gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list

Anthos Config Management Service Agent

roles/anthosconfigmanagement.serviceAgent

Gives the Anthos Config Management service agent access to Google Cloud resources.

gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list

Anthos Identity Service Agent

roles/anthosidentityservice.serviceAgent

Gives the Anthos Identity service agent access to Google Cloud resources.

gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list

Anthos Service Mesh Service Agent

roles/anthosservicemesh.serviceAgent

Gives the Anthos Service Mesh service agent access to Cloud Platform resources.

container.backendConfigs.*
container.clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.configMaps.*
container.customResourceDefinitions.create
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.deployments.get
container.deployments.list
container.events.get
container.events.list
container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.namespaces.create
container.namespaces.get
container.namespaces.list
container.pods.get
container.pods.list
container.secrets.*
container.serviceAccounts.create
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.serviceAccounts.update
container.services.get
container.services.list
container.thirdPartyObjects.create
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
meshconfig.projects.init

Anthos Support Service Agent

roles/anthossupport.serviceAgent

Gives the Anthos Support Service Agent access to Cloud Platform resource.

gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.gateway.get
gkehub.locations.*
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.get
gkehub.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get

Cloud API Gateway Service Agent

roles/apigateway.serviceAgent

Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.

iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
servicemanagement.services.check
servicemanagement.services.quota
servicemanagement.services.report

Cloud API Gateway Management Service Agent

roles/apigateway_management.serviceAgent

Gives Cloud API Gateway service account access to retrieve a Service configuration.

iam.serviceAccounts.get
servicemanagement.services.create
servicemanagement.services.delete
servicemanagement.services.get
servicemanagement.services.list
servicemanagement.services.update
serviceusage.services.get

Apigee Service Agent

roles/apigee.serviceAgent

Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.

apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.create
apigee.appkeys.delete
apigee.appkeys.manage
apigee.apps.get
apigee.canaryevaluations.*
apigee.developerapps.*
apigee.developers.create
apigee.developers.get
apigee.environments.get
apigee.environments.getDataLocation
apigee.environments.manageRuntime
apigee.ingressconfigs.*
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.proxyrevisions.get
apigee.runtimeconfigs.*
cloudtrace.traces.patch
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.views.create
logging.views.get
logging.views.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create

App Development Experience Service Agent

roles/appdevelopmentexperience.serviceAgent

Give the App Development Experience service agent access to Cloud Platform resources.

container.clusters.get
container.clusters.update
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list

App Engine flexible environment Service Agent

roles/appengineflex.serviceAgent

Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.

billing.accounts.get
cloudbuild.builds.create
cloudbuild.builds.get
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.update
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.disks.list
compute.firewalls.*
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.update
compute.healthChecks.useReadOnly
compute.httpHealthChecks.create
compute.httpHealthChecks.delete
compute.httpHealthChecks.get
compute.httpHealthChecks.use
compute.httpHealthChecks.useReadOnly
compute.httpsHealthChecks.create
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.get
compute.httpsHealthChecks.update
compute.httpsHealthChecks.use
compute.httpsHealthChecks.useReadOnly
compute.images.get
compute.images.useReadOnly
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.reset
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.use
compute.machineTypes.get
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.update
compute.regionBackendServices.use
compute.regionOperations.get
compute.regions.get
compute.routes.get
compute.routes.list
compute.subnetworks.delete
compute.subnetworks.get
compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.update
compute.urlMaps.use
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
deploymentmanager.compositeTypes.get
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

Artifact Registry Service Agent

roles/artifactregistry.serviceAgent

Gives the Artifact Registry service account access to managed resources.

artifactregistry.repositories.downloadArtifacts
pubsub.topics.publish

Assured Workloads Service Agent

roles/assuredworkloads.serviceAgent

Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads.

cloudkms.cryptoKeys.create
cloudkms.keyRings.create
serviceusage.services.enable
serviceusage.services.use

AutoML Service Agent

roles/automl.serviceAgent

AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.

bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
serviceusage.services.use
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Recommendations AI Service Agent

roles/automlrecommendations.serviceAgent

Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.

bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.updateData
cloudnotifications.*
dataflow.jobs.*
dataflow.messages.*
dataflow.metrics.*
logging.logEntries.create
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

BigQuery Connection Service Agent

roles/bigqueryconnection.serviceAgent

Gives BigQuery Connection Service access to Cloud SQL instances in user projects.

cloudsql.instances.connect
cloudsql.instances.get
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create

BigQuery Data Transfer Service Agent

roles/bigquerydatatransfer.serviceAgent

Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.

bigquery.config.get
bigquery.jobs.create
iam.serviceAccounts.getAccessToken
logging.logEntries.create
resourcemanager.projects.get
resourcemanager.projects.list

Binary Authorization Service Agent

roles/binaryauthorization.serviceAgent

Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.

binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.verifyImageAttested
cloudasset.assets.exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.listOccurrences
containeranalysis.occurrences.get
containeranalysis.occurrences.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Asset Service Agent

roles/cloudasset.serviceAgent

Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.

bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
pubsub.topics.publish
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get

Cloud Build Service Agent

roles/cloudbuild.serviceAgent

Gives Cloud Build service account access to managed resources.

artifactregistry.aptartifacts.*
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.*
binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.subnetworks.get
containeranalysis.notes.attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
logging.logEntries.create
logging.logEntries.list
logging.privateLogEntries.*
logging.views.access
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Cloud Deploy Service Agent

roles/clouddeploy.serviceAgent

Gives Cloud Deploy Service Account access to managed resources.

cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.workerpools.use
iam.serviceAccounts.actAs
logging.logEntries.create
pubsub.topics.get
pubsub.topics.publish
servicemanagement.services.report
serviceusage.services.use
storage.buckets.create
storage.buckets.get

Cloud Functions Service Agent

roles/cloudfunctions.serviceAgent

Gives Cloud Functions service account access to managed resources.

artifactregistry.*
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
cloudfunctions.functions.invoke
compute.globalOperations.get
compute.networks.access
eventarc.locations.*
eventarc.operations.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
firebasedatabase.instances.get
firebasedatabase.instances.update
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.signBlob
pubsub.subscriptions.*
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
recommender.locations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.use
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use

Cloud IoT Core Service Agent

roles/cloudiot.serviceAgent

Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.

logging.logEntries.create
pubsub.topics.publish

Cloud KMS Service Agent

roles/cloudkms.serviceAgent

Gives Cloud KMS service account access to managed resources.

cloudasset.assets.listCloudkmsCryptoKeys

Cloud Optimization Service Agent

roles/cloudoptimization.serviceAgent

Grants Cloud Optimization Service Account access to read and write data in the user project.

storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Cloud Scheduler Service Agent

roles/cloudscheduler.serviceAgent

Grants Cloud Scheduler Service Account access to manage resources.

iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
logging.logEntries.create
pubsub.topics.publish

Cloud SQL Service Agent

roles/cloudsql.serviceAgent

Grants Cloud SQL access to services and APIs in the user project

cloudsql.instances.get

Cloud Tasks Service Agent

roles/cloudtasks.serviceAgent

Grants Cloud Tasks Service Account access to manage resources.

iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
logging.logEntries.create

Cloud TPU V2 API Service Agent

roles/cloudtpu.serviceAgent

Give Cloud TPUs service account access to managed resources

compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
compute.firewalls.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
networkconnectivity.locations.*
networkconnectivity.operations.*
networksecurity.*
networkservices.*
pubsub.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*

Cloud Translation API Service Agent

roles/cloudtranslate.serviceAgent

Gives Cloud Translation Service Account access to consumer resources.

storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list

Compliance Scanning Service Agent

roles/compliancescanning.ServiceAgent

Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API

artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.list
compute.zones.*
containeranalysis.notes.attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

Cloud Composer API Service Agent

roles/composer.serviceAgent

Cloud Composer API service agent can manage environments.

appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.repositories.create
artifactregistry.repositories.delete
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.update
cloudnotifications.*
cloudsql.*
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.*
deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.buckets.create
logging.buckets.delete
logging.buckets.get
logging.buckets.list
logging.buckets.undelete
logging.buckets.update
logging.cmekSettings.*
logging.exclusions.*
logging.locations.*
logging.logEntries.create
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.sinks.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.update
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
networkconnectivity.locations.*
networkconnectivity.operations.*
networksecurity.*
networkservices.*
opsconfigmonitoring.resourceMetadata.list
orgpolicy.policy.get
pubsub.*
recommender.cloudsqlIdleInstanceRecommendations.*
recommender.cloudsqlInstanceActivityInsights.*
recommender.cloudsqlInstanceCpuUsageInsights.*
recommender.cloudsqlInstanceDiskUsageTrendInsights.*
recommender.cloudsqlInstanceMemoryUsageInsights.*
recommender.cloudsqlInstanceOutOfDiskRecommendations.*
recommender.cloudsqlOverprovisionedInstanceRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*

Compute Engine Service Agent

roles/compute.serviceAgent

Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.

cloudnotifications.*
compute.instanceGroupManagers.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.signJwt
logging.logEntries.create
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

Contact Center AI Insights Service Agent

roles/contactcenterinsights.serviceAgent

Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.

bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
datalabeling.dataitems.*
datalabeling.datasets.create
datalabeling.datasets.delete
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.import
datalabeling.operations.get
datalabeling.operations.list
dialogflow.conversationDatasets.*
dialogflow.conversationModels.*
dialogflow.documents.*
dialogflow.operations.*
dialogflow.participants.suggest
dialogflow.sessions.detectIntent
pubsub.topics.get
pubsub.topics.publish
storage.objects.get
storage.objects.list

Kubernetes Engine Service Agent

roles/container.serviceAgent

Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.

bigquery.datasets.create
bigquery.datasets.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
binaryauthorization.policy.evaluatePolicy
certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.*
compute.firewalls.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.*
compute.nodeGroups.get
compute.packetMirrorings.*
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionFirewallPolicies.*
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.*
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.*
compute.serviceAttachments.*
compute.snapshots.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.*
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
file.*
iam.serviceAccounts.actAs
iam.serviceAccounts.get
logging.logEntries.create
meshconfig.projects.get
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.*
networkconnectivity.locations.*
networkconnectivity.operations.*
networksecurity.*
networkservices.*
pubsub.topics.create
pubsub.topics.get
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
tpu.locations.*
tpu.nodes.create
tpu.nodes.delete
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
trafficdirector.*

Container Analysis Service Agent

roles/containeranalysis.ServiceAgent

Gives Container Analysis API the access it needs to function

artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list

Container Registry Service Agent

roles/containerregistry.ServiceAgent

Access for Container Registry

pubsub.topics.publish
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

Container Scanner Service Agent

roles/containerscanning.ServiceAgent

Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API

artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

Container Threat Detection Service Agent

roles/containerthreatdetection.serviceAgent

Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.

container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.clusterRoleBindings.*
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.*
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.networkPolicies.update
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.attach
container.pods.create
container.pods.delete
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.list
container.pods.portForward
container.pods.update
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.*
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.secrets.create
container.secrets.delete
container.secrets.list
container.secrets.update
container.serviceAccounts.create
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.serviceAccounts.update
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list

Content Warehouse Service Agent

roles/contentwarehouse.serviceAgent

Gives the Content Warehouse service account to manage customer resources

cloudfunctions.functions.invoke
pubsub.topics.publish
pubsublite.topics.publish
storage.objects.get
storage.objects.list

Data Connectors Service Agent

roles/dataconnectors.serviceAgent

Gives Data Connectors service agent permission to access the virtual private cloud

compute.globalOperations.get
compute.networks.access
vpcaccess.connectors.get
vpcaccess.connectors.use

Cloud Dataflow Service Agent

roles/dataflow.serviceAgent

Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.

bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.*
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.translation.*
clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
cloudnotifications.*
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.buckets.create
logging.buckets.delete
logging.buckets.get
logging.buckets.list
logging.buckets.undelete
logging.buckets.update
logging.cmekSettings.*
logging.exclusions.*
logging.locations.*
logging.logEntries.create
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.sinks.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.update
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
networkconnectivity.locations.*
networkconnectivity.operations.*
networksecurity.*
networkservices.*
opsconfigmonitoring.resourceMetadata.list
orgpolicy.policy.get
pubsub.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*

Dataform Service Agent

roles/dataform.serviceAgent

Gives permission for the Dataform API to access a secret from Secret Manager

resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion API Service Agent

roles/datafusion.serviceAgent

Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.

bigquery.config.get
bigquery.dataPolicies.*
bigquery.datasets.*
bigquery.jobs.create
bigquery.models.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
bigtable.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalOperations.get
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.machineTypes.*
compute.networks.addPeering
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.update
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use
dataproc.batches.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
firebase.projects.get
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.*
networkconnectivity.locations.*
networkconnectivity.operations.get
networkconnectivity.operations.list
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.locations.*
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.gateways.get
networkservices.gateways.list
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.operations.get
networkservices.operations.list
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginPartitionedDmlTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.list
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
spanner.sessions.*
storage.buckets.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*

Data Labeling Service Agent

roles/datalabeling.serviceAgent

Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.

automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.*
ml.operations.get
ml.operations.list
ml.projects.*
ml.studies.*
ml.trials.*
ml.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Datapipelines Service Agent

roles/datapipelines.serviceAgent

Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.

appengine.applications.get
cloudscheduler.*
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.*
dataflow.metrics.*
dataflow.snapshots.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
orgpolicy.policy.get
recommender.dataflowDiagnosticsInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Cloud Dataplex Service Agent

roles/dataplex.serviceAgent

Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.

bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.*
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.translation.*
dataplex.assets.getIamPolicy
dataplex.environments.get
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.zones.getIamPolicy
dataproc.autoscalingPolicies.create
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.get
dataproc.jobs.delete
dataproc.jobs.get
dataproc.operations.cancel
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.instantiateInline
firebase.projects.get
iam.serviceAccounts.actAs
logging.logEntries.create
metastore.services.get
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.report
serviceusage.services.use
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Dataprep Service Agent

roles/dataprep.serviceAgent

Dataprep service identity. Includes access to service accounts.

bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.translation.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
dataflow.jobs.*
dataflow.messages.*
dataflow.metrics.*
dataflow.snapshots.*
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
orgpolicy.policy.get
recommender.dataflowDiagnosticsInsights.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.list
storage.multipartUploads.*
storage.objects.*

Dataproc Service Agent

roles/dataproc.serviceAgent

Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.

compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.get
compute.firewalls.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeTypes.get
compute.projects.get
compute.regionNetworkEndpointGroups.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.clusters.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.namespaces.update
container.operations.get
container.roleBindings.*
container.roles.bind
container.roles.escalate
dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use
dataproc.clusters.*
dataproc.jobs.*
firebase.projects.get
iam.serviceAccounts.actAs
metastore.services.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Data Studio Service Agent

roles/datastudio.serviceAgent

Grants Data Studio Service Account access to manage resources.

bigquery.jobs.create

Dialogflow Service Agent

roles/dialogflow.serviceAgent

Gives Dialogflow Service Account access to resources on behalf of user project for intent detection in integrations (Facebook Messenger, Slack, Telephony, etc.).

cloudfunctions.functions.invoke
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.*
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.*
dialogflow.modelEvaluations.*
dialogflow.operations.*
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.*
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.*
dialogflow.sessions.*
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
logging.logEntries.create
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
speech.adaptations.*
speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
storage.objects.create
storage.objects.get
storage.objects.list

DLP API Service Agent

roles/dlp.serviceAgent

Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.

appengine.applications.get
bigquery.config.get
bigquery.dataPolicies.*
bigquery.datasets.*
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.update
bigquery.models.*
bigquery.readsessions.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.exportResource
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.locations.get
cloudkms.locations.list
datacatalog.categories.fineGrainedGet
datacatalog.tagTemplates.*
datastore.databases.get
datastore.databases.getMetadata
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobs.*
dlp.kms.*
firebase.projects.get
orgpolicy.policy.get
pubsub.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

DocumentAI Core Service Agent

roles/documentaicore.serviceAgent

Gives DocumentAI Core Service Account access to consumer resources.

automl.models.predict
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Cloud Endpoints Service Agent

roles/endpoints.serviceAgent

Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.

servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report

Endpoints Portal Service Agent

roles/endpointsportal.serviceAgent

Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.

servicemanagement.services.get
servicemanagement.services.list
source.repos.get

Enterprise Knowledge Graph Service Agent

roles/enterpriseknowledgegraph.serviceAgent

Gives Enterprise Knowledge Graph Service Account access to consumer resources.

bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

Eventarc Service Agent

roles/eventarc.serviceAgent

Gives Eventarc service account access to managed resources.

compute.instanceGroupManagers.get
container.clusters.get
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.list
container.deployments.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.serviceAccounts.create
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.list
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
run.services.get
serviceusage.services.use
storage.buckets.get
storage.buckets.update
workflows.workflows.get

Cloud Filestore Service Agent

roles/file.serviceAgent

Gives Cloud Filestore service account access to managed resources.

compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.routes.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list

Firebase App Distribution Admin SDK Service Agent

roles/firebase.appDistributionSdkServiceAgent

Read and write access to Firebase App Distribution with the Admin SDK

firebaseappdistro.*

Firebase Service Management Service Agent

roles/firebase.managementServiceAgent

Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.

apikeys.keys.create
apikeys.keys.get
apikeys.keys.list
apikeys.keys.update
appengine.applications.*
appengine.operations.get
appengine.services.list
clientauthconfig.brands.create
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.update
firebase.clients.create
firebase.clients.delete
firebase.clients.get
firebase.projects.*
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.update
firebaserules.releases.create
firebaserules.releases.delete
firebaserules.releases.get
firebaserules.rulesets.create
iam.roles.get
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
resourcemanager.projects.update
servicemanagement.services.bind
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy

Firebase Admin SDK Administrator Service Agent

roles/firebase.sdkAdminServiceAgent

Read and write access to Firebase products available in the Admin SDK

appengine.applications.get
cloudconfig.*
cloudmessaging.*
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.*
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
firebase.clients.*
firebase.projects.get
firebase.projects.update
firebaseappcheck.*
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.update
firebaseauth.users.*
firebasedatabase.*
firebasehosting.*
firebaseml.*
firebasenotifications.*
firebaserules.releases.get
firebaserules.releases.list
firebaserules.releases.update
firebaserules.rulesets.create
firebaserules.rulesets.delete
firebaserules.rulesets.get
firebaserules.rulesets.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.update
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.multipartUploads.*
storage.objects.*

Firebase SDK Provisioning Service Agent

roles/firebase.sdkProvisioningServiceAgent

Access to provision apps with the Admin SDK.

apikeys.keys.list
clientauthconfig.clients.list
cloudmessaging.*
firebase.clients.create
servicemanagement.services.bind
serviceusage.services.enable

Firebase App Check Service Agent

roles/firebaseappcheck.serviceAgent

Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise.

recaptchaenterprise.assessments.*

Firebase Extensions API Service Agent

roles/firebasemods.serviceAgent

Grants Firebase Extensions API Service Account access to manage resources.

appengine.applications.get
artifactregistry.packages.delete
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.setIamPolicy
cloudtasks.locations.*
cloudtasks.queues.*
cloudtasks.tasks.create
cloudtasks.tasks.fullView
deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.updateLiens
run.services.getIamPolicy
run.services.setIamPolicy
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list

Cloud Storage for Firebase Service Agent

roles/firebasestorage.serviceAgent

Access to Cloud Storage for Firebase through API and SDK.

storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update

Firestore Service Agent

roles/firestore.serviceAgent

Gives Firestore service account access to managed resources.

storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Cloud Firewall Insights Service Agent

roles/firewallinsights.serviceAgent

Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.

compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.projects.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list

FleetEngine Service Agent

roles/fleetengine.serviceAgent

Grants the FleetEngine Service Account access to manage resources.

bigquery.config.get
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.getData
resourcemanager.projects.get
resourcemanager.projects.list

Game Services Service Agent

roles/gameservices.serviceAgent

Gives Game Services Service Account access to GCP resources.

container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.create
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.managedCertificates.*
container.mutatingWebhookConfigurations.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.create
container.roleBindings.get
container.roleBindings.list
container.roles.bind
container.roles.create
container.roles.escalate
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.selfSubjectRulesReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.storageVersionMigrations.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
container.updateInfos.*
container.validatingWebhookConfigurations.*
container.volumeAttachments.*
container.volumeSnapshotClasses.*
container.volumeSnapshotContents.*
container.volumeSnapshots.*
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.get
gkehub.operations.list
iam.serviceAccounts.actAs
resourcemanager.projects.get
resourcemanager.projects.list

Genomics Service Agent

roles/genomics.serviceAgent

Gives Genomics Service Account access to compute resources. Includes access to service accounts.

compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

Backup for GKE Service Agent

roles/gkebackup.serviceAgent

Grants the Backup for GKE Service Account access to managed resources.

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.disks.useReadOnly
compute.globalOperations.get
compute.regionOperations.get
compute.snapshots.delete
compute.snapshots.get
compute.zoneOperations.get
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.managedCertificates.*
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.selfSubjectRulesReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.storageVersionMigrations.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
container.updateInfos.*
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.*
container.volumeSnapshotClasses.*
container.volumeSnapshotContents.*
container.volumeSnapshots.*
gkebackup.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.updateLiens

GKE Hub Service Agent

roles/gkehub.serviceAgent

Gives the GKE Hub service agent access to Cloud Platform resources.

container.clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.namespaces.get
container.thirdPartyObjects.*
gkehub.features.create
gkehub.features.get
gkehub.features.list
gkehub.fleet.create
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.create
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.list
gkehub.operations.get
gkemulticloud.awsClusters.get
gkemulticloud.azureClusters.get
gkeonprem.vmwareClusters.get
serviceusage.services.get
serviceusage.services.list

Anthos Multi-Cloud Service Agent

roles/gkemulticloud.serviceAgent

Grants the Anthos Multi-Cloud Service Account access to manage resources.

gkehub.features.*
gkehub.fleet.*
gkehub.locations.*
gkehub.memberships.*
gkehub.operations.*
gkemulticloud.awsClusters.delete
gkemulticloud.awsNodePools.delete
gkemulticloud.azureClients.delete
gkemulticloud.azureClusters.delete
gkemulticloud.azureNodePools.delete
resourcemanager.projects.get
resourcemanager.projects.list

Healthcare Service Agent

roles/healthcare.serviceAgent

Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.

cloudnotifications.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

KubeRun Events Control Plane Service Agent

roles/kuberun.eventsControlPlaneServiceAgent

Service account role used to setup authentication for the control plane used by KubeRun Events.

cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.get
logging.sinks.create
logging.sinks.delete
logging.sinks.get
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
resourcemanager.projects.get
storage.buckets.get
storage.buckets.update

KubeRun Events Data Plane Service Agent

roles/kuberun.eventsDataPlaneServiceAgent

Service account role used to setup authentication for the data plane used by KubeRun Events.

cloudtrace.traces.patch
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.get
pubsub.topics.get
pubsub.topics.publish
resourcemanager.projects.get

Cloud Life Sciences Service Agent

roles/lifesciences.serviceAgent

Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.

compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

Live Stream Service Agent

roles/livestream.serviceAgent

Uploads media files to customer Cloud Storage buckets.

storage.objects.create
storage.objects.delete
storage.objects.update

Cloud Logging Service Agent

roles/logging.serviceAgent

Grants a Cloud Logging Service Account the ability to create and link datasets.

bigquery.datasets.create

Cloud Managed Identities Service Agent

roles/managedidentities.serviceAgent

Gives Managed Identities service account access to managed resources.

compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list

Media Asset Service Agent

roles/mediaasset.serviceAgent

Downloads and uploads media files from and to customer Cloud Storage buckets.

pubsub.topics.get
pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get

Cloud Memorystore Memcached Service Agent

roles/memcache.serviceAgent

Gives Cloud Memorystore Memcached service account access to managed resource

compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list

Mesh Config Service Agent

roles/meshconfig.serviceAgent

Apply mesh configuration

compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute.firewalls.*
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.update
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.update
networkservices.endpointConfigSelectors.create
networkservices.endpointConfigSelectors.delete
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.update
networkservices.httpFilters.create
networkservices.httpFilters.delete
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.update
networkservices.httpfilters.create
networkservices.httpfilters.delete
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.httpfilters.update

Mesh Managed Control Plane Service Agent

roles/meshcontrolplane.serviceAgent

Anthos Service Mesh Managed Control Plane Agent

container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.*
container.clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.clusters.getCredentials
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.*
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.horizontalPodAutoscalers.*
container.hostServiceAgent.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.managedCertificates.*
container.mutatingWebhookConfigurations.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.*
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.*
container.roles.*
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.selfSubjectRulesReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.storageVersionMigrations.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
container.updateInfos.*
container.validatingWebhookConfigurations.*
container.volumeAttachments.*
container.volumeSnapshotClasses.*
container.volumeSnapshotContents.*
container.volumeSnapshots.*
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.gateway.*
gkehub.locations.*
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.get
gkehub.operations.list
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.use

Mesh Data Plane Service Agent

roles/meshdataplane.serviceAgent

Run user-space Istio components

cloudtrace.traces.patch
compute.forwardingRules.get
compute.globalForwardingRules.get
logging.logEntries.create
meshconfig.projects.get
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
serviceusage.services.use

Dataproc Metastore Service Agent

roles/metastore.serviceAgent

Gives the Dataproc Metastore service account access to managed resources.

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.globalAddresses.createInternal
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.globalOperations.list
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
metastore.databases.setIamPolicy
metastore.services.get
metastore.tables.setIamPolicy
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

AI Platform Service Agent

roles/ml.serviceAgent

AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.

artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.updateData
firebase.projects.get
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Monitoring Service Agent

roles/monitoring.notificationServiceAgent

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

servicedirectory.networks.access
servicedirectory.services.resolve
serviceusage.services.use

Multi Cluster Ingress Service Agent

roles/multiclusteringress.serviceAgent

Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.

certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.backendServices.*
compute.firewalls.*
compute.forwardingRules.*
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.*
compute.healthChecks.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.use
compute.networks.updatePolicy
compute.networks.use
compute.regionBackendServices.*
compute.regionHealthChecks.*
compute.regionSslCertificates.*
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.use
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.urlMaps.*
container.backendConfigs.*
container.clusters.get
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.update
container.deployments.*
container.events.create
container.events.update
container.frontendConfigs.*
container.namespaces.list
container.secrets.get
container.secrets.list
container.services.*
container.thirdPartyObjects.*
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceusage.services.get
serviceusage.services.list

Multi-cluster metering Service Agent

roles/multiclustermetering.serviceAgent

Gives the Multi-cluster metering service agent access to CloudPlatform resources.

gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list

GCP Network Management Service Agent

roles/networkmanagement.serviceAgent

Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.

cloudsql.instances.get
cloudsql.instances.list
compute.addresses.get
compute.addresses.list
compute.backendServices.get
compute.backendServices.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
container.clusters.get
container.clusters.list
container.nodes.get
container.nodes.list

AI Platform Notebooks Service Agent

roles/notebooks.serviceAgent

Provide access for notebooks service agent to manage notebook instances in user projects

aiplatform.customJobs.cancel
aiplatform.customJobs.create
aiplatform.customJobs.get
aiplatform.customJobs.list
compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
dataproc.clusters.get
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.list
ml.jobs.create
ml.jobs.get
ml.jobs.list
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud OS Config Service Agent

roles/osconfig.serviceAgent

Grants OS Config Service Account access to Google Compute Engine instances.

compute.instances.get
compute.instances.getGuestAttributes
compute.instances.list
compute.instances.setMetadata
compute.zones.*
containeranalysis.notes.attachOccurrence
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
iam.serviceAccounts.actAs
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Pub/Sub Service Agent

roles/pubsub.serviceAgent

Grants Cloud Pub/Sub Service Account access to manage resources.

iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Memorystore Redis Service Agent

roles/redis.serviceAgent

Gives Cloud Memorystore Redis service account access to managed resource

compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.projects.get
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list

Remote Build Execution Service Agent

roles/remotebuildexecution.serviceAgent

Gives Remote Build Execution service account access to managed resources.

remotebuildexecution.actions.update
remotebuildexecution.blobs.*
remotebuildexecution.botsessions.*
remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update

Retail Service Agent

roles/retail.serviceAgent

Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud's operations suite metrics for customer projects.

bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.updateData
cloudnotifications.*
dataflow.jobs.*
dataflow.messages.*
dataflow.metrics.*
logging.logEntries.create
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Risk Manager Service Agent

roles/riskmanager.serviceAgent

Service agent that grants Risk Manager service access to fetch findings for generating Reports

cloudasset.assets.*
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get

Cloud Run Service Agent

roles/run.serviceAgent

Gives Cloud Run service account access to managed resources.

artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.policy.evaluatePolicy
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
compute.globalOperations.get
compute.networks.access
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.signBlob
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.routes.invoke
serviceusage.services.use
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use

Secured Landing Zone Service Agent

roles/securedlandingzone.serviceAgent

Grants Secured Landing Zone service account permissions to manage resources in the customer project

cloudasset.assets.exportOrgPolicy
cloudasset.assets.exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.update
logging.logEntries.list
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
resourcemanager.projects.get
securitycenter.assetsecuritymarks.*
securitycenter.findings.list
securitycenter.findings.update
securitycenter.sources.list
securitycenter.sources.update
serviceusage.services.use

Security Center Automation Service Agent

roles/securitycenter.automationServiceAgent

Security Center automation service agent can configure GCP resources to enable security scanning.

cloudasset.feeds.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.services.enable

Security Center Control Service Agent

roles/securitycenter.controlServiceAgent

Security Center Control service agent can monitor and configure GCP resources and import security findings.

apikeys.keys.get
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset.assets.*
cloudasset.feeds.*
cloudsecurityscanner.*
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.users.list
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
dlp.jobs.get
dlp.jobs.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.*
logging.views.get
logging.views.list
monitoring.alertPolicies.get
monitoring.alertPolicies.list
orgpolicy.policy.get
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.bigQueryExports.*
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.muteconfigs.*
securitycenter.notificationconfig.*
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list

Security Center Integration Executor Service Agent

roles/securitycenter.integrationExecutorServiceAgent

Gives Security Center access to execute Integrations.

integrations.securityExecutions.cancel
integrations.securityExecutions.list
integrations.securityIntegrations.invoke

Security Center Notification Service Agent

roles/securitycenter.notificationServiceAgent

Security Center service agent can publish notifications to Pub/Sub topics.

pubsub.topics.publish

Security Health Analytics Service Agent

roles/securitycenter.securityHealthAnalyticsServiceAgent

Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.

apikeys.keys.get
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset.assets.*
cloudasset.feeds.*
cloudsecurityscanner.*
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.users.list
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
container.clusters.get
container.clusters.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.*
logging.views.get
logging.views.list
monitoring.alertPolicies.get
monitoring.alertPolicies.list
orgpolicy.policy.get
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.bigQueryExports.*
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.muteconfigs.*
securitycenter.notificationconfig.*
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get

Google Cloud Security Response Service Agent

roles/securitycenter.securityResponseServiceAgent

Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks

compute.instances.deleteAccessConfig
compute.instances.get
compute.instances.setMetadata
iam.serviceAccounts.actAs
pubsub.topics.publish
securitycenter.findings.list
storage.buckets.get
storage.buckets.update

Security Center Service Agent

roles/securitycenter.serviceAgent

Security Center service agent can scan GCP resources and import security scans.

apikeys.keys.get
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset.assets.*
cloudasset.feeds.*
cloudsecurityscanner.*
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.users.list
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.managedCertificates.get
container.managedCertificates.list
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
container.updateInfos.get
container.updateInfos.list
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshots.get
container.volumeSnapshots.list
dlp.jobs.get
dlp.jobs.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.*
logging.views.get
logging.views.list
monitoring.alertPolicies.get
monitoring.alertPolicies.list
orgpolicy.policy.get
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.bigQueryExports.*
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.findingexternalsystems.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.muteconfigs.*
securitycenter.notificationconfig.*
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.subscription.*
securitycenter.userinterfacemetadata.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list

Service Directory Service Agent

roles/servicedirectory.serviceAgent

Give the Service Directory service agent access to Cloud Platform resources.

container.clusters.get
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.update

Service Networking Service Agent

roles/servicenetworking.serviceAgent

Gives permission to manage network configuration, such as establishing network peering, necessary for service producers

compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.routers.list
compute.routes.list
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Source Repositories Service Agent

roles/sourcerepo.serviceAgent

Allow Cloud Source Repositories to integrate with other Cloud services.

iam.serviceAccounts.getAccessToken
pubsub.topics.publish

Cloud Speech-to-Text Service Agent

roles/speech.serviceAgent

Gives Speech-to-Text service account access to Cloud Storage resources.

storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update

Dataform Service Agent

roles/sqlx.serviceAgent

Gives permission for the Dataform API to access a secret from Secret Manager

resourcemanager.projects.get
resourcemanager.projects.list

Cloud TPU API Service Agent

roles/tpu.serviceAgent

Give Cloud TPUs service account access to managed resources

compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list

Transcoder Service Agent

roles/transcoder.serviceAgent

Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.

pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.delete

Visual Inspection AI Service Agent

roles/visualinspection.serviceAgent

Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.

aiplatform.*
artifactregistry.*
firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.multipartUploads.*
storage.objects.*

Serverless VPC Access Service Agent

roles/vpcaccess.serviceAgent

Can create and manage resources to support serverless application to connect to virtual private cloud.

billing.accounts.get
compute.autoscalers.*
compute.disks.create
compute.firewalls.*
compute.healthChecks.*
compute.httpHealthChecks.create
compute.httpHealthChecks.delete
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.use
compute.httpHealthChecks.useReadOnly
compute.httpsHealthChecks.create
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.get
compute.httpsHealthChecks.update
compute.httpsHealthChecks.use
compute.httpsHealthChecks.useReadOnly
compute.images.get
compute.images.useReadOnly
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.list
compute.instances.reset
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.use
compute.machineTypes.get
compute.networks.get
compute.networks.use
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
deploymentmanager.compositeTypes.get
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.get
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
resourcemanager.projects.get

Cloud Web Security Scanner Service Agent

roles/websecurityscanner.serviceAgent

Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.

appengine.applications.get
cloudasset.assets.listResource
compute.addresses.list
compute.backendServices.get
compute.forwardingRules.get
compute.globalForwardingRules.get
compute.sslCertificates.list
compute.targetHttpProxies.get
compute.targetHttpsProxies.get
compute.urlMaps.get

Cloud Workflows Service Agent

roles/workflows.serviceAgent

Gives Cloud Workflows service account access to managed resources.

iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken

Workload Certificate Service Agent

roles/workloadcertificate.serviceAgent

Gives the Workload Certificate service agent access to Cloud Platform resources.

container.clusters.get
container.clusters.update
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceconsumermanagement.tenancyu.addResource
serviceconsumermanagement.tenancyu.create
serviceconsumermanagement.tenancyu.delete
serviceconsumermanagement.tenancyu.removeResource

Admin of Tenancy Units

roles/serviceconsumermanagement.tenancyUnitsAdmin

Administrate tenancy units

serviceconsumermanagement.tenancyu.*

Viewer of Tenancy Units

roles/serviceconsumermanagement.tenancyUnitsViewer

View tenancy units

serviceconsumermanagement.tenancyu.list

Service Directory Admin

roles/servicedirectory.admin

Full control of all Service Directory resources and permissions.

resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.*
servicedirectory.locations.*
servicedirectory.namespaces.*
servicedirectory.networks.attach
servicedirectory.services.*

Service Directory Editor

roles/servicedirectory.editor

Edit Service Directory resources.

resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.update

Service Directory Network Attacher

roles/servicedirectory.networkAttacher

Gives access to attach VPC Networks to Service Directory Endpoints

resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.networks.attach

Private Service Connect Authorized Service

roles/servicedirectory.pscAuthorizedService

Gives access to VPC Networks via Service Directory

resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.networks.access

Service Directory Viewer

roles/servicedirectory.viewer

View Service Directory resources.

resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.locations.*
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve

Cloud Run Service Agent

roles/serverless.serviceAgent

Gives Cloud Run service account access to managed resources.

artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.policy.evaluatePolicy
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
compute.globalOperations.get
compute.networks.access
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.signBlob
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.routes.invoke
serviceusage.services.use
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use

Service Management Administrator

roles/servicemanagement.admin

Full control of Google Service Management resources.

monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.*
serviceusage.quotas.get
serviceusage.services.get

Service Config Editor

roles/servicemanagement.configEditor

Access to update the service config and create rollouts.

servicemanagement.services.get
servicemanagement.services.update

Quota Administrator

roles/servicemanagement.quotaAdmin

Provides access to administer service quotas.

monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list

Quota Viewer

roles/servicemanagement.quotaViewer

Provides access to view service quotas.

monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Service Reporter

roles/servicemanagement.reporter

Can report usage of a service during runtime.

servicemanagement.services.report

Service Consumer

roles/servicemanagement.serviceConsumer

Can enable the service.

servicemanagement.services.bind

Service Controller

roles/servicemanagement.serviceController

Can check preconditions and report usage of a service during runtime.

servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report

Service Networking Admin

roles/servicenetworking.networksAdmin

Full control of service networking with projects.

servicenetworking.*

API Keys Admin

roles/serviceusage.apiKeysAdmin

Ability to create, delete, update, get and list API keys for a project.

apikeys.*
serviceusage.apiKeys.*
serviceusage.operations.get

API Keys Viewer

roles/serviceusage.apiKeysViewer

Ability to get and list API keys for a project.

apikeys.keys.get
apikeys.keys.list
apikeys.keys.lookup

Service Usage Admin

roles/serviceusage.serviceUsageAdmin

Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list
serviceusage.operations.*
serviceusage.quotas.*
serviceusage.services.*

Service Usage Consumer

roles/serviceusage.serviceUsageConsumer

Ability to inspect service states and operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

Service Usage Viewer

roles/serviceusage.serviceUsageViewer

Ability to inspect service states and operations for a consumer project.

monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Source Repository Administrator

roles/source.admin

Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.

source.*

Source Repository Reader

roles/source.reader

Provides permissions to list, clone, fetch, and browse repositories.

source.repos.get
source.repos.list

Source Repository Writer

roles/source.writer

Provides permissions to list, clone, fetch, browse, and update repositories.

source.repos.get
source.repos.list
source.repos.update

Stackdriver Accounts Editor

roles/stackdriver.accounts.editor

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.projects.*

Stackdriver Accounts Viewer

roles/stackdriver.accounts.viewer

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

Stackdriver Resource Metadata Writer

roles/stackdriver.resourceMetadata.writer

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.*

Support Account Administrator

roles/cloudsupport.admin

Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.

cloudsupport.accounts.*
cloudsupport.operations.*
cloudsupport.properties.*
resourcemanager.organizations.get

Tech Support Editor

roles/cloudsupport.techSupportEditor

Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support).

cloudsupport.properties.*
cloudsupport.techCases.*
resourcemanager.projects.get
resourcemanager.projects.list

Tech Support Viewer

roles/cloudsupport.techSupportViewer

Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).

cloudsupport.properties.*
cloudsupport.techCases.get
cloudsupport.techCases.list
resourcemanager.projects.get
resourcemanager.projects.list

Support Account Viewer

roles/cloudsupport.viewer

Read-only access to details of a support account. This does not allow viewing cases.

cloudsupport.accounts.get
cloudsupport.accounts.getUserRoles
cloudsupport.accounts.list
cloudsupport.properties.*

Dell EMC Cloud OneFS Admin

roles/dellemccloudonefs.admin

This role is managed by Dell EMC, not Google.

cloudonefs.isiloncloud.com/*
resourcemanager.projects.get
resourcemanager.projects.list

Dell EMC Cloud OneFS User

roles/dellemccloudonefs.user

This role is managed by Dell EMC, not Google.

cloudonefs.isiloncloud.com/clusters.create
cloudonefs.isiloncloud.com/clusters.delete
cloudonefs.isiloncloud.com/clusters.get
cloudonefs.isiloncloud.com/clusters.list
cloudonefs.isiloncloud.com/clusters.update
cloudonefs.isiloncloud.com/fileshares.*
resourcemanager.projects.get
resourcemanager.projects.list

Dell EMC Cloud OneFS Viewer

roles/dellemccloudonefs.viewer

This role is managed by Dell EMC, not Google.

cloudonefs.isiloncloud.com/clusters.get
cloudonefs.isiloncloud.com/clusters.list
cloudonefs.isiloncloud.com/fileshares.get
cloudonefs.isiloncloud.com/fileshares.list
resourcemanager.projects.get
resourcemanager.projects.list

NetApp Cloud Volumes Admin

roles/netappcloudvolumes.admin

This role is managed by NetApp, not Google.

cloudvolumesgcp-api.netapp.com/*
resourcemanager.projects.get
resourcemanager.projects.list

NetApp Cloud Volumes Viewer

roles/netappcloudvolumes.viewer

This role is managed by NetApp, not Google.

cloudvolumesgcp-api.netapp.com/activeDirectories.get
cloudvolumesgcp-api.netapp.com/activeDirectories.list
cloudvolumesgcp-api.netapp.com/ipRanges.*
cloudvolumesgcp-api.netapp.com/jobs.*
cloudvolumesgcp-api.netapp.com/regions.*
cloudvolumesgcp-api.netapp.com/serviceLevels.*
cloudvolumesgcp-api.netapp.com/snapshots.get
cloudvolumesgcp-api.netapp.com/snapshots.list
cloudvolumesgcp-api.netapp.com/volumes.get
cloudvolumesgcp-api.netapp.com/volumes.list
resourcemanager.projects.get
resourcemanager.projects.list

Redis Enterprise Cloud Admin

roles/redisenterprisecloud.admin

This role is managed by Redis Labs, not Google.

gcp.redisenterprise.com/*
resourcemanager.projects.get
resourcemanager.projects.list

Redis Enterprise Cloud Viewer

roles/redisenterprisecloud.viewer

This role is managed by Redis Labs, not Google.

gcp.redisenterprise.com/databases.get
gcp.redisenterprise.com/databases.list
gcp.redisenterprise.com/subscriptions.get
gcp.redisenterprise.com/subscriptions.list
resourcemanager.projects.get
resourcemanager.projects.list

Transcoder Admin

roles/transcoder.admin

Full access to all transcoder resources.

resourcemanager.projects.get
resourcemanager.projects.list
transcoder.*

Transcoder Viewer

roles/transcoder.viewer

Viewer of all transcoder resources.

resourcemanager.projects.get
resourcemanager.projects.list
transcoder.jobTemplates.get
transcoder.jobTemplates.list
transcoder.jobs.get
transcoder.jobs.list

Vertex AI Administrator

roles/aiplatform.admin

Grants full access to all resources in Vertex AI

aiplatform.*
resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI Feature Store Admin

roles/aiplatform.featurestoreAdmin

Grants full access to all resources in Vertex AI Feature Store

aiplatform.entityTypes.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI Feature Store Data Viewer

roles/aiplatform.featurestoreDataViewer

This role provides permissions to read Feature data.

aiplatform.entityTypes.exportFeatureValues
aiplatform.entityTypes.get
aiplatform.entityTypes.readFeatureValues
aiplatform.entityTypes.streamingReadFeatureValues
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.batchReadFeatureValues
resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI Feature Store Data Writer

roles/aiplatform.featurestoreDataWriter

This role provides permissions to read and write Feature data.

aiplatform.entityTypes.exportFeatureValues
aiplatform.entityTypes.get
aiplatform.entityTypes.importFeatureValues
aiplatform.entityTypes.readFeatureValues
aiplatform.entityTypes.streamingReadFeatureValues
aiplatform.entityTypes.writeFeatureValues
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.batchReadFeatureValues
resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI Feature Store Instance Creator

roles/aiplatform.featurestoreInstanceCreator

Administrator of Featurestore resources, but not the child resources under Featurestores.

aiplatform.featurestores.create
aiplatform.featurestores.delete
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.featurestores.update

Vertex AI Feature Store Resource Viewer

roles/aiplatform.featurestoreResourceViewer

Viewer of all resources in Vertex AI Feature Store but cannot make changes.

aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI Feature Store User

roles/aiplatform.featurestoreUser

Deprecated. Use featurestoreAdmin instead.

aiplatform.entityTypes.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI Migration Service User

roles/aiplatform.migrator

Grants access to use migration service in Vertex AI

aiplatform.migratableResources.*

Vertex AI Tensorboard Web App User

roles/aiplatform.tensorboardWebAppUser

Grants access to the Vertex AI Tensorboard web app. Using the web app will incur charges.

aiplatform.tensorboards.recordAccess

Vertex AI User

roles/aiplatform.user

Grants access to use all resource in Vertex AI

aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.artifacts.*
aiplatform.batchPredictionJobs.*
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasets.*
aiplatform.deploymentResourcePools.*
aiplatform.edgeDeploymentJobs.*
aiplatform.edgeDeviceDebugInfo.*
aiplatform.edgeDevices.*
aiplatform.endpoints.*
aiplatform.entityTypes.*
aiplatform.executions.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.humanInTheLoops.*
aiplatform.hyperparameterTuningJobs.*
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.modelDeploymentMonitoringJobs.*
aiplatform.modelEvaluationSlices.*
aiplatform.modelEvaluations.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.operations.*
aiplatform.pipelineJobs.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.tensorboardExperiments.*
aiplatform.tensorboardRuns.*
aiplatform.tensorboardTimeSeries.*
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
resourcemanager.projects.get
resourcemanager.projects.list

Vertex AI Viewer

roles/aiplatform.viewer

Grants access to view all resource in Vertex AI

aiplatform.annotationSpecs.get
aiplatform.annotationSpecs.list
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.batchPredictionJobs.get
aiplatform.batchPredictionJobs.list
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.contexts.queryContextLineageSubgraph
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.dataLabelingJobs.get
aiplatform.dataLabelingJobs.list
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.deploymentResourcePools.get
aiplatform.deploymentResourcePools.list
aiplatform.deploymentResourcePools.queryDeployedModels
aiplatform.edgeDeploymentJobs.get
aiplatform.edgeDeploymentJobs.list
aiplatform.edgeDeviceDebugInfo.*
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform.executions.queryExecutionInputsAndOutputs
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.humanInTheLoops.list
aiplatform.hyperparameterTuningJobs.get
aiplatform.hyperparameterTuningJobs.list
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.*
aiplatform.metadataSchemas.get
aiplatform.metadataSchemas.list
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.modelDeploymentMonitoringJobs.get
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
aiplatform.modelEvaluationSlices.*
aiplatform.modelEvaluations.get
aiplatform.modelEvaluations.list
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.operations.*
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.specialistPools.get
aiplatform.specialistPools.list
aiplatform.specialistPools.update
aiplatform.studies.get
aiplatform.studies.list
aiplatform.tensorboardExperiments.get
aiplatform.tensorboardExperiments.list
aiplatform.tensorboardRuns.get
aiplatform.tensorboardRuns.list
aiplatform.tensorboardTimeSeries.batchRead
aiplatform.tensorboardTimeSeries.get
aiplatform.tensorboardTimeSeries.list
aiplatform.tensorboardTimeSeries.read
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.trainingPipelines.get
aiplatform.trainingPipelines.list
aiplatform.trials.get
aiplatform.trials.list
resourcemanager.projects.get
resourcemanager.projects.list

Video Stitcher Admin

roles/videostitcher.admin

Full access to all video stitcher resources.

resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.*

Video Stitcher User

roles/videostitcher.user

Full access to video stitcher sessions.

resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.liveSessions.*
videostitcher.vodSessions.*

Video Stitcher Viewer

roles/videostitcher.viewer

Read-only access to video stitcher resources.

resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.cdnKeys.get
videostitcher.cdnKeys.list
videostitcher.liveAdTagDetails.*
videostitcher.liveSessions.get
videostitcher.slates.get
videostitcher.slates.list
videostitcher.vodAdTagDetails.*
videostitcher.vodSessions.get
videostitcher.vodStitchDetails.*

VMware Engine Service Admin

roles/vmwareengine.vmwareengineAdmin

Admin has full access to VMware Engine Service

resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine.*

VMware Engine Service Viewer

roles/vmwareengine.vmwareengineViewer

Viewer has read-only access to VMware Engine Service

resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine.services.view

Workflows Admin

roles/workflows.admin

Full access to workflows and related resources.

resourcemanager.projects.get
resourcemanager.projects.list
workflows.*

Workflows Editor

roles/workflows.editor

Read and write access to workflows and related resources.

resourcemanager.projects.get
resourcemanager.projects.list
workflows.*

Workflows Invoker

roles/workflows.invoker

Access to execute workflows and manage the executions.

resourcemanager.projects.get
resourcemanager.projects.list
workflows.callbacks.*
workflows.executions.*

Workflows Viewer

roles/workflows.viewer

Read-only access to workflows and related resources.

resourcemanager.projects.get
resourcemanager.projects.list
workflows.executions.get
workflows.executions.list
workflows.locations.*
workflows.operations.get
workflows.operations.list
workflows.workflows.get
workflows.workflows.list

IAM Workload Identity Pool Admin

roles/iam.workloadIdentityPoolAdmin

Full rights to create and manage workload identity pools.

iam.workloadIdentityPoolProviders.*
iam.workloadIdentityPools.*
resourcemanager.projects.get
resourcemanager.projects.list

IAM Workload Identity Pool Viewer

roles/iam.workloadIdentityPoolViewer

Read access to workload identity pools.

iam.googleapis.com/workloadIdentityPoolProviders.get
iam.googleapis.com/workloadIdentityPoolProviders.list
iam.googleapis.com/workloadIdentityPools.get
iam.googleapis.com/workloadIdentityPools.list
resourcemanager.projects.get
resourcemanager.projects.list