Compute Engine IAM roles and permissions  |  Compute Engine Documentation  |  Google Cloud (2023)

Table of Contents
Before you begin What is IAM? The serviceAccountUser role Google Cloud Console permission Connecting to an instance as an instanceAdmin IAM with service accounts Managed instance groups and IAM Predefined Compute Engine IAM roles Compute Admin role Compute Image User role Compute Instance Admin (beta) role Compute Instance Admin (v1) role Compute Load Balancer Admin role Compute Load Balancer Services User role Compute Network Admin role Compute Network User role Compute Network Viewer role Compute Organization Firewall Policy Admin role Compute Organization Firewall Policy User role Compute Organization Security Policy Admin role Compute Organization Security Policy User role Compute Organization Resource Admin role Compute OS Admin Login role Compute OS Login role Compute OS Login External User role Compute packet mirroring admin role Compute packet mirroring user role Compute Public IP Admin role Compute Security Admin role Compute Sole Tenant Viewer role Compute Storage Admin role Compute Viewer role Compute Shared VPC Admin role GuestPolicy Admin role GuestPolicy Editor role GuestPolicy Viewer role InstanceOSPoliciesCompliance Viewer role OS Inventory Viewer role OSPolicyAssignment Admin role OSPolicyAssignment Editor role OSPolicyAssignmentReport Viewer role OSPolicyAssignment Viewer role PatchDeployment Admin role PatchDeployment Viewer role Patch Job Executor role Patch Job Viewer role OS VulnerabilityReport Viewer role DNS Administrator role DNS Peer role DNS Reader role Service Account Admin role Create Service Accounts role Delete Service Accounts role Service Account Key Admin role Service Account OpenID Connect Identity Token Creator role Service Account Token Creator role Service Account User role View Service Accounts role Workload Identity User role What's next FAQs Videos

When you add a new member to your project, you can use anIdentity and Access Management (IAM) policy to give that member one ormore IAM roles. Each IAM role contains permissionsthat grant the member access to specific resources.

Compute Engine has a set ofpredefined IAM roles that are described onthis page. You can also create custom rolesthat contain subsets of permissions that map directly to your needs.

To learn which permissions are required for each method, see theCompute Engine API reference documentation:

  • Compute Engine v1 API reference
  • Compute Engine beta API reference

For information about granting access, see the following pages.

  • To set IAM policies at a project level, seeGranting, changing, and revoking access to resourcesin the IAM documentation.
  • To set policies on specific Compute Engine resources, readGranting access to Compute Engine resources.
  • To assign roles to a Compute Engine service account, readCreating and enabling service accounts for instances.

Before you begin

  • Read the IAM documentation.

What is IAM?

Google Cloud offersIAM,which lets you give more granular access to specificGoogle Cloud resources and prevents unwanted access to other resources.IAM lets you adopt thesecurity principle of least privilege,so you grant only the necessary access to your resources.

(Video) GCP | Google Cloud IAM | Understanding Google Cloud IAM Roles, Policies & Permissions | DEMO

IAM lets you control who (identity) haswhat (roles) permission to which resources by settingIAM policies. IAM policies grant specific role(s)to a project member, giving that identity certain permissions. For example, fora given resource, such as a project, you can assign theroles/compute.networkAdmin role to a Google Accountand that account can control network-related resources in the project, butcannot manage other resources, like instances and disks. You can also useIAM to manage theGoogle Cloud console legacy rolesgranted to project team members.

The serviceAccountUser role

When granted together withroles/compute.instanceAdmin.v1,roles/iam.serviceAccountUser gives members theability to create and manage instances that use a service account. Specifically,granting roles/iam.serviceAccountUser and roles/compute.instanceAdmin.v1together gives members permission to:

  • Create an instance that runs as aservice account.
  • Attach a persistent disk to an instance that runs as a service account.
  • Set instance metadata on an instance that runs as a service account.
  • Use SSH to connect to an instance that runs as a service account.
  • Reconfigure an instance to run as a service account.

You can grant roles/iam.serviceAccountUser one of two ways:

  • Recommended. Grant the role to a member on aspecific service account.This gives a member access to the service account for which they are aniam.serviceAccountUser but prevents access to other service accounts forwhich the member is not an iam.serviceAccountUser.

  • Grant the role to a member on theproject level. The member has access to allservice accounts in the project, including service accounts that are createdin the future.

    (Video) Using IAM Roles with Google Cloud Storage (GCS)

If you aren't familiar with service accounts,learn more about service accounts.

Google Cloud Console permission

To use the Google Cloud console to access Compute Engine resources, youmust have a role that contains the following permission on the project:

compute.projects.get

Connecting to an instance as an instanceAdmin

After you grant a project member the roles/compute.instanceAdmin.v1 role, theycan connect to virtual machine (VM) instances by using standard Google Cloudtools, like the gcloud CLI orSSH-in-browser.

When a member uses the gcloud CLI or SSH-in-browser, thetools automatically generate a public/private key pair and add the publickey to the project metadata. If the member does not have permissions to editproject metadata, the tool adds the member's public key to the instancemetadata instead.

If the member has an existing key pair they want to use, theycan manually add their public key to the instance's metadata.Learn more about adding SSH keys to an instance.

(Video) Introduction to Cloud IAM

IAM with service accounts

Create new custom service accounts and grant IAM roles to serviceaccounts to limit the access of your instances. Use IAM roleswith custom service accounts to:

  • Limit the access your instances have to Google Cloud APIs using granularIAM roles.
  • Give each instance, or set of instances, a unique identity.
  • Limit the access of your default service account.

Learn more about service accounts.

Managed instance groups and IAM

Managed instance groups (MIGs) are resourcesthat perform actions on your behalf without direct user interaction. Forexample, the MIG can add and remove VMs from the group.

All of the operations performed by Compute Engine as part of the MIG areperformed by theGoogle APIs Service Agentfor your project, which has an email address like the following:PROJECT_ID@cloudservices.gserviceaccount.com

By default, the Google APIs Service Agent is granted theEditor role (roles/editor) at the project level, which gives enough privilegesto create resources based on the MIG's configuration. If you're customizingaccess for the Google APIs Service Agent, then grant the Compute Instance Admin (v1) role(roles/compute.instanceAdmin.v1) and, optionally, the Service Account User role(roles/iam.serviceAccountUser). The Service Account User role is requiredonly if the MIG creates VMs that can run as a service account.

(Video) How to give Compute Admin access to only ONE Compute Engine?

Note that the Google APIs Service Agent is also used by other processes,including Deployment Manager.

When you create a MIG or update its instance template, Compute Enginevalidates that the Google APIs Service Agent has the following role and permissions:

  • Service Account User role, which is important if you plan to create instancesthat can run as a service account
  • Permissions to all the resources referenced from instance templates, suchas images, disks, VPC networks, and subnets

Predefined Compute Engine IAM roles

With IAM, every API method in Compute Engine API requiresthat the identitymaking the API request has the appropriate permissions to use the resource.Permissions are granted by setting policies that grant roles to amember (user, group, or service account) of your project.

In addition to basic roles(viewer, editor, owner)and custom roles,you can assign the following Compute Engine predefined roles to themembers of your project.

You can grant multiple roles to a project member on the same resource. Forexample, if your networking team also manages firewall rules, you can grant bothroles/compute.networkAdmin and roles/compute.securityAdmin to the networkingteam's Google group.

(Video) Service Accounts in Google Cloud - IAM in GCP.

The following tables describe the predefined Compute EngineIAM roles,as well as the permissions contained within each role. Each role contains a setof permissions that is suitable for a specific task. For example, the InstanceAdmin roles grant permissions to manage instances, the network-related rolesinclude permissions to manage network-related resources, and the security roleincludes permissions to manage security-related resources, like firewalls andSSL certificates.

Compute Admin role

Title and nameDescriptionPermissions
Compute Admin
(roles/compute.admin)

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configuredto run as a service account, you must also grant theroles/iam.serviceAccountUser role.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Node group
  • Node template
  • Snapshot Beta
  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Image User role

Title and nameDescriptionPermissions
Compute Image User
(roles/compute.imageUser)

Permission to list and read images without having other permissions on the image. Granting this roleat the project level gives users the ability to list all images in the project and create resources,such as instances and persistent disks, based on images in the project.

Lowest-level resources where you can grant this role:

  • ImageBeta
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin (beta) role

Title and nameDescriptionPermissions
Compute Instance Admin (beta)
(roles/compute.instanceAdmin)

Permissions to create, modify, and delete virtual machine instances.This includes permissions to create, modify, and delete disks, and also toconfigure Shielded VMsettings.

If the user will be managing virtual machine instances that are configuredto run as a service account, you must also grant theroles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtualmachine instances but does not manage network or security settings anddoes not manage instances that run as service accounts, you can grant thisrole on the organization, folder, or project that contains the instances,or you can grant it on individual instances.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Snapshot Beta
  • compute.acceleratorTypes.*
  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionNetworkEndpointGroups.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin (v1) role

Title and nameDescriptionPermissions
Compute Instance Admin (v1)
(roles/compute.instanceAdmin.v1)

Full control of Compute Engine instances, instance groups, disks, snapshots, and images.Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

  • compute.acceleratorTypes.*
  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Load Balancer Admin role

Title and nameDescriptionPermissions
Compute Load Balancer Admin
(roles/compute.loadBalancerAdmin)Beta

Permissions to create, modify, and delete load balancers and associateresources.

For example, if your company has a load balancing team that manages loadbalancers, SSL certificates for load balancers, SSL policies, and otherload balancing resources, and a separate networking team that managesthe rest of the networking resources, then grant this role to the loadbalancing team's group.

Lowest-level resources where you can grant this role:

  • InstanceBeta
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.list
  • certificatemanager.certmaps.use
  • compute.addresses.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroups.*
  • compute.instances.get
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listTagBindings
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.projects.get
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.use
  • compute.regionSslCertificates.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Load Balancer Services User role

Title and nameDescriptionPermissions
Compute Load Balancer Services User
(roles/compute.loadBalancerServiceUser)Beta
Permissions to use services from a load balancer in other projects.
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.backendServices.use
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionBackendServices.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Admin role

Title and nameDescriptionPermissions
Compute Network Admin
(roles/compute.networkAdmin)

Permissions to create, modify, and delete networking resources,except for firewall rules and SSL certificates. The network admin roleallows read-only access to firewall rules, SSL certificates, and instances(to view their ephemeral IP addresses). The network admin role does notallow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewallsand SSL certificates and a networking team that manages the rest of thenetworking resources, then grant this role to the networking team's group.Or, if you have a combined team that manages both security and networking,then grant this role as well as the roles/compute.securityAdmin role to the combined team's group.

Lowest-level resources where you can grant this role:

  • InstanceBeta
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.updateSecurity
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.*
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.use
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.use
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.createPeeredDnsDomain
  • servicenetworking.services.deleteConnection
  • servicenetworking.services.deletePeeredDnsDomain
  • servicenetworking.services.disableVpcServiceControls
  • servicenetworking.services.enableVpcServiceControls
  • servicenetworking.services.get
  • servicenetworking.services.listPeeredDnsDomains
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Network User role

Title and nameDescriptionPermissions
Compute Network User
(roles/compute.networkUser)

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belongto the host project. For example, a network user can create a VM instancethat belongs to a host project network but they cannot delete or createnew networks in the host project.

Lowest-level resources where you can grant this role:

  • Project
  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.useInternal
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.use
  • compute.networks.access
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.use
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.use
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.use
  • networkservices.gateways.get
  • networkservices.gateways.list
  • networkservices.gateways.use
  • networkservices.grpcRoutes.get
  • networkservices.grpcRoutes.list
  • networkservices.grpcRoutes.use
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.use
  • networkservices.httpRoutes.get
  • networkservices.httpRoutes.list
  • networkservices.httpRoutes.use
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.use
  • networkservices.locations.*
  • networkservices.meshes.get
  • networkservices.meshes.list
  • networkservices.meshes.use
  • networkservices.operations.get
  • networkservices.operations.list
  • networkservices.serviceBindings.get
  • networkservices.serviceBindings.list
  • networkservices.tcpRoutes.get
  • networkservices.tcpRoutes.list
  • networkservices.tcpRoutes.use
  • networkservices.tlsRoutes.get
  • networkservices.tlsRoutes.list
  • networkservices.tlsRoutes.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Viewer role

Title and nameDescriptionPermissions
Compute Network Viewer
(roles/compute.networkViewer)

Read-only access to all networking resources

For example, if you have software that inspects your networkconfiguration, you could grant this role to that software'sservice account.

Lowest-level resources where you can grant this role:

  • InstanceBeta
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.gateways.get
  • networkservices.gateways.list
  • networkservices.grpcRoutes.get
  • networkservices.grpcRoutes.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpRoutes.get
  • networkservices.httpRoutes.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.meshes.get
  • networkservices.meshes.list
  • networkservices.operations.get
  • networkservices.operations.list
  • networkservices.serviceBindings.get
  • networkservices.serviceBindings.list
  • networkservices.tcpRoutes.get
  • networkservices.tcpRoutes.list
  • networkservices.tlsRoutes.get
  • networkservices.tlsRoutes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Organization Firewall Policy Admin role

Title and nameDescriptionPermissions
Compute Organization Firewall Policy Admin
(roles/compute.orgFirewallPolicyAdmin)
Full control of Compute Engine Organization Firewall Policies.
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.regionFirewallPolicies.*
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Firewall Policy User role

Title and nameDescriptionPermissions
Compute Organization Firewall Policy User
(roles/compute.orgFirewallPolicyUser)
View or use Compute Engine Firewall Policies to associate with the organization or folders.
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.projects.get
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.use
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy Admin role

Title and nameDescriptionPermissions
Compute Organization Security Policy Admin
(roles/compute.orgSecurityPolicyAdmin)
Full control of Compute Engine Organization Security Policies.
  • compute.firewallPolicies.*
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.copyRules
  • compute.securityPolicies.create
  • compute.securityPolicies.delete
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.securityPolicies.move
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.setIamPolicy
  • compute.securityPolicies.update
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy User role

Title and nameDescriptionPermissions
Compute Organization Security Policy User
(roles/compute.orgSecurityPolicyUser)
View or use Compute Engine Security Policies to associate with the organization or folders.
  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Resource Admin role

Title and nameDescriptionPermissions
Compute Organization Resource Admin
(roles/compute.orgSecurityResourceAdmin)
Full control of Compute Engine Firewall Policy associations to the organization or folders.
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.organizations.listAssociations
  • compute.organizations.setFirewallPolicy
  • compute.organizations.setSecurityPolicy
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Admin Login role

Title and nameDescriptionPermissions
Compute OS Admin Login
(roles/compute.osAdminLogin)

Access to log in to a Compute Engine instance as an administratoruser.

Lowest-level resources where you can grant this role:

  • InstanceBeta
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instances.get
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.projects.get
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login role

Title and nameDescriptionPermissions
Compute OS Login
(roles/compute.osLogin)

Access to log in to a Compute Engine instance as a standard user.

Lowest-level resources where you can grant this role:

  • InstanceBeta
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instances.get
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listTagBindings
  • compute.instances.osLogin
  • compute.projects.get
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login External User role

Title and nameDescriptionPermissions
Compute OS Login External User
(roles/compute.osLoginExternalUser)

Available only at the organization level.

Access for an external user to set OS Login information associated withthis organization. This role does not grant access to instances. Externalusers must be granted one of the requiredOS Login roles in order to allow access to instances using SSH.

Lowest-level resources where you can grant this role:

  • Organization
  • compute.oslogin.updateExternalUser

Compute packet mirroring admin role

Title and nameDescriptionPermissions
Compute packet mirroring admin
(roles/compute.packetMirroringAdmin)
Specify resources to be mirrored.
  • compute.instances.updateSecurity
  • compute.networks.mirror
  • compute.projects.get
  • compute.subnetworks.mirror
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute packet mirroring user role

Title and nameDescriptionPermissions
Compute packet mirroring user
(roles/compute.packetMirroringUser)
Use Compute Engine packet mirrorings.
  • compute.packetMirrorings.*
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Public IP Admin role

Title and nameDescriptionPermissions
Compute Public IP Admin
(roles/compute.publicIpAdmin)
Full control of public IP address management for Compute Engine.
  • compute.addresses.*
  • compute.globalAddresses.*
  • compute.globalPublicDelegatedPrefixes.*
  • compute.publicAdvertisedPrefixes.*
  • compute.publicDelegatedPrefixes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Compute Security Admin role

Title and nameDescriptionPermissions
Compute Security Admin
(roles/compute.securityAdmin)

Permissions to create, modify, and delete firewall rules and SSLcertificates, and also toconfigure Shielded VMsettings.

For example, if your company has a security team that manages firewallsand SSL certificates and a networking team that manages the rest of thenetworking resources, then grant this role to the security team's group.

Lowest-level resources where you can grant this role:

  • InstanceBeta
  • compute.backendBuckets.list
  • compute.backendServices.list
  • compute.firewallPolicies.*
  • compute.firewalls.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.instances.getEffectiveFirewalls
  • compute.instances.list
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.updatePolicy
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSecurityPolicies.*
  • compute.regionSslCertificates.*
  • compute.regions.*
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetInstances.list
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Sole Tenant Viewer role

Title and nameDescriptionPermissions
Compute Sole Tenant Viewer
(roles/compute.soleTenantViewer)Beta
Permissions to view sole tenancy node groups
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*

Compute Storage Admin role

Title and nameDescriptionPermissions
Compute Storage Admin
(roles/compute.storageAdmin)

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images andyou don't want them to have the editor role on the project, then grantthis role to their account on the project.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Snapshot Beta
  • compute.diskTypes.*
  • compute.disks.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.resourcePolicies.*
  • compute.snapshots.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Viewer role

Title and nameDescriptionPermissions
Compute Viewer
(roles/compute.viewer)

Read-only access to get and list Compute Engine resources, withoutbeing able to read the data stored on them.

For example, an account with this role could inventory all of the disks ina project, but it could not read any of the data on those disks.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Node group
  • Node template
  • Snapshot Beta
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEdgeSecurityServices.get
  • compute.networkEdgeSecurityServices.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Shared VPC Admin role

Title and nameDescriptionPermissions
Compute Shared VPC Admin
(roles/compute.xpnAdmin)

Permissions to administer shared VPC host projects,specifically enabling the host projects and associating shared VPC service projects to the hostproject's network.

At the organization level, this role can only be granted by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. TheShared VPC Admin is responsible for granting the Compute Network User role(roles/compute.networkUser) to service owners, and the shared VPC host project ownercontrols the project itself. Managing the project is easier if a single principal (individual orgroup) can fulfill both roles.

Lowest-level resources where you can grant this role:

  • Folder
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.projects.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.setIamPolicy
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

GuestPolicy Admin role

Title and nameDescriptionPermissions
GuestPolicy Admin
(roles/osconfig.guestPolicyAdmin)Beta
Full admin access to GuestPolicies
  • osconfig.guestPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Editor role

Title and nameDescriptionPermissions
GuestPolicy Editor
(roles/osconfig.guestPolicyEditor)Beta
Editor of GuestPolicy resources
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Viewer role

Title and nameDescriptionPermissions
GuestPolicy Viewer
(roles/osconfig.guestPolicyViewer)Beta
Viewer of GuestPolicy resources
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer role

Title and nameDescriptionPermissions
InstanceOSPoliciesCompliance Viewer
(roles/osconfig.instanceOSPoliciesComplianceViewer)Beta
Viewer of OS Policies Compliance of VM instances
  • osconfig.instanceOSPoliciesCompliances.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS Inventory Viewer role

Title and nameDescriptionPermissions
OS Inventory Viewer
(roles/osconfig.inventoryViewer)
Viewer of OS Inventories
  • osconfig.inventories.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Admin role

Title and nameDescriptionPermissions
OSPolicyAssignment Admin
(roles/osconfig.osPolicyAssignmentAdmin)
Full admin access to OS Policy Assignments
  • osconfig.osPolicyAssignments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Editor role

Title and nameDescriptionPermissions
OSPolicyAssignment Editor
(roles/osconfig.osPolicyAssignmentEditor)
Editor of OS Policy Assignments
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • osconfig.osPolicyAssignments.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignmentReport Viewer role

Title and nameDescriptionPermissions
OSPolicyAssignmentReport Viewer
(roles/osconfig.osPolicyAssignmentReportViewer)
Viewer of OS policy assignment reports for VM instances
  • osconfig.osPolicyAssignmentReports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Viewer role

Title and nameDescriptionPermissions
OSPolicyAssignment Viewer
(roles/osconfig.osPolicyAssignmentViewer)
Viewer of OS Policy Assignments
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Admin role

Title and nameDescriptionPermissions
PatchDeployment Admin
(roles/osconfig.patchDeploymentAdmin)
Full admin access to PatchDeployments
  • osconfig.patchDeployments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Viewer role

Title and nameDescriptionPermissions
PatchDeployment Viewer
(roles/osconfig.patchDeploymentViewer)
Viewer of PatchDeployment resources
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Executor role

Title and nameDescriptionPermissions
Patch Job Executor
(roles/osconfig.patchJobExecutor)
Access to execute Patch Jobs.
  • osconfig.patchJobs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Viewer role

Title and nameDescriptionPermissions
Patch Job Viewer
(roles/osconfig.patchJobViewer)
Get and list Patch Jobs.
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS VulnerabilityReport Viewer role

Title and nameDescriptionPermissions
OS VulnerabilityReport Viewer
(roles/osconfig.vulnerabilityReportViewer)
Viewer of OS VulnerabilityReports
  • osconfig.vulnerabilityReports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DNS Administrator role

Title and nameDescriptionPermissions
DNS Administrator
(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Project
  • compute.networks.get
  • compute.networks.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.create
  • dns.managedZones.delete
  • dns.managedZones.get
  • dns.managedZones.getIamPolicy
  • dns.managedZones.list
  • dns.managedZones.update
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.getIamPolicy
  • dns.policies.list
  • dns.policies.update
  • dns.projects.get
  • dns.resourceRecordSets.*
  • dns.responsePolicies.*
  • dns.responsePolicyRules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DNS Peer role

Title and nameDescriptionPermissions
DNS Peer
(roles/dns.peer)
Access to target networks with DNS peering zones
  • dns.networks.targetWithPeeringZone

DNS Reader role

Title and nameDescriptionPermissions
DNS Reader
(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Project
  • compute.networks.get
  • dns.changes.get
  • dns.changes.list
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.policies.get
  • dns.policies.list
  • dns.projects.get
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Service Account Admin role

Title and nameDescriptionPermissions
Service Account Admin
(roles/iam.serviceAccountAdmin)
Create and manage service accounts.

Lowest-level resources where you can grant this role:

  • Service Account
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.disable
  • iam.serviceAccounts.enable
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.undelete
  • iam.serviceAccounts.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Create Service Accounts role

Title and nameDescriptionPermissions
Create Service Accounts
(roles/iam.serviceAccountCreator)
Access to create service accounts.
  • iam.serviceAccounts.create
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Delete Service Accounts role

Title and nameDescriptionPermissions
Delete Service Accounts
(roles/iam.serviceAccountDeleter)
Access to delete service accounts.
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Service Account Key Admin role

Title and nameDescriptionPermissions
Service Account Key Admin
(roles/iam.serviceAccountKeyAdmin)
Create and manage (and rotate) service account keys.

Lowest-level resources where you can grant this role:

  • Service Account
  • iam.serviceAccountKeys.*
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Service Account OpenID Connect Identity Token Creator role

Title and nameDescriptionPermissions
Service Account OpenID Connect Identity Token Creator
(roles/iam.serviceAccountOpenIdTokenCreator)
Create OpenID Connect (OIDC) identity tokens
  • iam.serviceAccounts.getOpenIdToken

Service Account Token Creator role

Title and nameDescriptionPermissions
Service Account Token Creator
(roles/iam.serviceAccountTokenCreator)
Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).

Lowest-level resources where you can grant this role:

  • Service Account
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Service Account User role

Title and nameDescriptionPermissions
Service Account User
(roles/iam.serviceAccountUser)
Run operations as the service account.

Lowest-level resources where you can grant this role:

  • Service Account
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

View Service Accounts role

Title and nameDescriptionPermissions
View Service Accounts
(roles/iam.serviceAccountViewer)
Read access to service accounts, metadata, and keys.
  • iam.serviceAccountKeys.get
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Workload Identity User role

Title and nameDescriptionPermissions
Workload Identity User
(roles/iam.workloadIdentityUser)
Impersonate service accounts from GKE Workloads
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.list

What's next

  • Learn more about IAM.
  • Learn how to create and manage custom IAM roles.
  • Grant IAM roles to project users.
  • Grant IAM roles for specific Compute Engine resources.
  • Grant IAM roles to service accounts.

FAQs

How long does it take for IAM permissions to take effect GCP? ›

Why can a user not access resources shortly after permission is granted, or continue to access resources after permission is removed? In general, policy changes take effect within 60 seconds. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.

What are the three types of roles in cloud IAM? ›

These roles are Owner, Editor, and Viewer. Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.

What are the two types of IAM roles on GCP? ›

GCP IAM roles explained

Predefined: Predefined roles provide finer-grain access to specific services in the Google Cloud. Custom: Custom roles provide finer-grain access to an organization-specific list of permissions to meet specific needs.

What is the difference between Google App Engine and Google Compute Engine? ›

Google App Engine is a Platform as a Service (PaaS) solution that makes deployment easier. On the other hand, the Google Compute Engine is an Infrastructure as a Service (IaaS) tool.

What is the most efficient method for managing permissions for multiple IAM users? ›

Establish permissions guardrails across multiple accounts

We recommend that you use Organizations service control policies (SCPs) to establish permissions guardrails to control access for all IAM users and roles across your accounts.

How long does it take to implement IAM? ›

You read that right, our products are so simple to use and implement that end-users do not even require training to start imbibing it. 8. The never-ending implementation time: IAM implementations typically take between 6 months to 2 years and require further investment for maintenance and upgrades.

How do you manage IAM roles? ›

Managing IAM roles
  1. Modify the policies that are associated with the role.
  2. Change who can access the role.
  3. Edit the permissions that the role grants to users.
  4. Change the maximum session duration setting for roles that are assumed using the AWS Management Console, AWS CLI or API.

How do IAM roles work? ›

An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

What is the difference between IAM roles and policies? ›

IAM Roles manage who has access to your AWS resources, whereas IAM policies control their permissions. A Role with no Policy attached to it won't have to access any AWS resources. A Policy that is not attached to an IAM role is effectively unused.

What is the maximum duration of a temporary access role? ›

The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to the maximum session duration set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours.

What is IAM policy binding in GCP? ›

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings . A binding binds one or more members , or principals, to a single role . Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite).

How do I add permissions to a service account in GCP? ›

Add the Service Account as a Member to the Project
  1. Open the IAM page in the GCP console for the XPN project.
  2. Click on Add.
  3. Select the Service Account as the New Member.
  4. Select the Role with the desired permissions.
  5. Click on Save.

What can you use to assign permissions directly to an IAM user? ›

You can change the permissions for an IAM user in your AWS account by changing its group memberships, by copying permissions from an existing user, by attaching policies directly to a user, or by setting a permissions boundary. A permissions boundary controls the maximum permissions that a user can have.

Videos

1. Google Cloud IAM Tutorial | Identity & Access Management on GCP | GCP Training | Edureka
(edureka!)
2. Assign role to Service account - Google Cloud
(CarbonRider)
3. IAM Custom Roles
(Israel Emmanuel)
4. Google Cloud Fundamentals: Getting Started with Compute Engine
(Adrianus Yoga)
5. Best practices for Identity and Access Management on Compute Engine (Google Cloud Next '17)
(Google Cloud Tech)
6. How to create IAM user permission and service account in google cloud platform
(Cloud Easy)
Top Articles
Latest Posts
Article information

Author: The Hon. Margery Christiansen

Last Updated: 12/11/2022

Views: 5725

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.