Home Original page

Cloud Build roles and permissions

Cloud Build Approver

(roles/cloudbuild.builds.approver)

Can approve or reject pending builds.

cloudbuild.builds.approve

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.locations.*

  • cloudbuild.locations.get
  • cloudbuild.locations.list

cloudbuild.operations.*

  • cloudbuild.operations.get
  • cloudbuild.operations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Service Account

(roles/cloudbuild.builds.builder)

Provides access to perform builds.

artifactregistry.aptartifacts.create

artifactregistry.attachments.*

  • artifactregistry.attachments.create
  • artifactregistry.attachments.delete
  • artifactregistry.attachments.get
  • artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.files.update

artifactregistry.files.upload

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.packages.update

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.exportArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.locations.*

  • cloudbuild.locations.get
  • cloudbuild.locations.list

cloudbuild.operations.*

  • cloudbuild.operations.get
  • cloudbuild.operations.list

cloudbuild.workerpools.use

compute.images.create

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

logging.logEntries.create

logging.logEntries.list

logging.views.access

pubsub.topics.create

pubsub.topics.publish

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Cloud Build Editor

(roles/cloudbuild.builds.editor)

Provides access to create and cancel builds.

Lowest-level resources where you can grant this role:

  • Project

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.locations.*

  • cloudbuild.locations.get
  • cloudbuild.locations.list

cloudbuild.operations.*

  • cloudbuild.operations.get
  • cloudbuild.operations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Viewer

(roles/cloudbuild.builds.viewer)

Provides access to view builds.

Lowest-level resources where you can grant this role:

  • Project

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.locations.*

  • cloudbuild.locations.get
  • cloudbuild.locations.list

cloudbuild.operations.*

  • cloudbuild.operations.get
  • cloudbuild.operations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Connection Admin

(roles/cloudbuild.connectionAdmin)

Can manage connections and repositories.

cloudbuild.connections.*

  • cloudbuild.connections.create
  • cloudbuild.connections.delete
  • cloudbuild.connections.fetchLinkableRepositories
  • cloudbuild.connections.get
  • cloudbuild.connections.getIamPolicy
  • cloudbuild.connections.list
  • cloudbuild.connections.setIamPolicy
  • cloudbuild.connections.update

cloudbuild.operations.*

  • cloudbuild.operations.get
  • cloudbuild.operations.list

cloudbuild.repositories.create

cloudbuild.repositories.delete

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Connection Viewer

(roles/cloudbuild.connectionViewer)

Can view and list connections and repositories.

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.get

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Editor

(roles/cloudbuild.integrationsEditor)

Can update Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Owner

(roles/cloudbuild.integrationsOwner)

Can create/delete Integrations

cloudbuild.integrations.*

  • cloudbuild.integrations.create
  • cloudbuild.integrations.delete
  • cloudbuild.integrations.get
  • cloudbuild.integrations.list
  • cloudbuild.integrations.update

compute.firewalls.create

compute.firewalls.get

compute.firewalls.list

compute.networks.get

compute.networks.updatePolicy

compute.regions.get

compute.subnetworks.get

compute.subnetworks.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Viewer

(roles/cloudbuild.integrationsViewer)

Can view Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Logging Service Agent

(roles/cloudbuild.loggingServiceAgent)

Gives the Cloud Build logging-specific service account access to write logs.

logging.buckets.write

Cloud Build Read Only Token Accessor

(roles/cloudbuild.readTokenAccessor)

Can view the connection and access its read-only token.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.get

Cloud Build Service Agent

(roles/cloudbuild.serviceAgent)

Gives Cloud Build service account access to managed resources.

artifactregistry.aptartifacts.create

artifactregistry.attachments.*

  • artifactregistry.attachments.create
  • artifactregistry.attachments.delete
  • artifactregistry.attachments.get
  • artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.files.update

artifactregistry.files.upload

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.packages.update

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.exportArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.connections.get

cloudbuild.locations.*

  • cloudbuild.locations.get
  • cloudbuild.locations.list

cloudbuild.operations.*

  • cloudbuild.operations.get
  • cloudbuild.operations.list

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.get

cloudbuild.repositories.list

cloudbuild.workerpools.use

compute.firewalls.get

compute.firewalls.list

compute.images.create

compute.networkAttachments.get

compute.networkAttachments.update

compute.networks.get

compute.regionOperations.get

compute.subnetworks.get

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

developerconnect.connections.get

developerconnect.gitRepositoryLinks.fetchReadToken

developerconnect.gitRepositoryLinks.fetchReadWriteToken

developerconnect.gitRepositoryLinks.get

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.buckets.create

logging.buckets.get

logging.buckets.list

logging.logEntries.create

logging.logEntries.list

logging.views.access

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.get

pubsub.topics.publish

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.networks.access

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

serviceusage.services.use

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Cloud Build Token Accessor

(roles/cloudbuild.tokenAccessor)

Can view the connection and access its read/write and read-only tokens.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.get

cloudbuild.repositories.list

Cloud Build WorkerPool Editor

(roles/cloudbuild.workerPoolEditor)

Can update and view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build WorkerPool Owner

(roles/cloudbuild.workerPoolOwner)

Can create, delete, update, and view WorkerPools

cloudbuild.workerpools.create

cloudbuild.workerpools.delete

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build WorkerPool User

(roles/cloudbuild.workerPoolUser)

Can run builds in the WorkerPool

cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer

(roles/cloudbuild.workerPoolViewer)

Can view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

resourcemanager.projects.get

resourcemanager.projects.list