BERJAYA

When an identity calls a Google Cloud Platform API, Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the Cloud IAM roles that you can grant to identities to access Cloud Platform resources.

Prerequisite for this guide

Understand the basic concepts of Cloud IAM

Role types

There are three types of roles in Cloud IAM:

Primitive roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM
Predefined roles, which provide granular access for a specific service and are managed by GCP
Custom roles, which provide granular access according to a user-specified list of permissions

To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:

The gcloud iam roles describe command
The roles.get() API

The sections below describe each role type and provide examples of how to use them.

Primitive roles

There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.

The following table summarizes the permissions that the primitive roles include across all GCP services:

Primitive role definitions

Name	Title	Permissions
`roles/viewer`	Viewer	Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
`roles/editor`	Editor	All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. Note: While the `roles/editor` role contains permissions to create and delete resources for most GCP services, some services (such as Cloud Source Repositories and Stackdriver) do not include these permissions. See the section above for more information on how to check if a role has the permissions that you need.
`roles/owner`	Owner	All editor permissions and permissions for the following actions: Manage roles and permissions for a project and all resources within the project. Set up billing for a project. Note: Granting the owner role at a resource-level, such as a Cloud Pub/Sub topic, doesn't grant the owner role on the parent project. The owner role doesn't contain any permission for the Organization resource. Therefore, granting the owner role at the organization-level doesn't allow you to update the organization's metadata. However, it allows you to modify projects under that organization.

You can apply primitive roles at the project or service resource levels by using GCP Console, the API and the gcloud command-line tool.

Invitation flow

You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the GCP Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Note that invitation emails aren't sent in the following cases:

when you're granting a role other than the owner.
when an organization member adds another member of their organization as an owner of a project within that organization.

Predefined roles

In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.

The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the GCP hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Access Approval roles

Role	Title	Description	Permissions
`roles/ accessapproval.approver`	Access Approval Approver ^Beta	Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ accessapproval.configEditor`	Access Approval Config Editor ^Beta	Ability update the Access Approval configuration	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ accessapproval.viewer`	Access Approval Viewer ^Beta	Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Android Management roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ androidmanagement.user`	Android Management User	Full access to manage devices.	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

App Engine roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ appengine.appAdmin`	App Engine Admin	Read/Write/Modify access to all application configuration and settings.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ appengine.appViewer`	App Engine Viewer	Read-only access to all application configuration and settings.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ appengine.codeViewer`	App Engine Code Viewer	Read-only access to all application configuration, settings, and deployed source code.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ appengine.deployer`	App Engine Deployer	Read-only access to all application configuration and settings. Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Note: The App Engine Deployer (`roles/appengine.deployer`) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (`roles/compute.storageAdmin`) and Cloud Build Editor (`cloudbuild.builds.editor`) roles.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ appengine.serviceAdmin`	App Engine Service Admin	Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version.	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Project

AutoML roles

Role	Title	Description	Permissions
`roles/ automl.admin`	AutoML Admin ^Beta	Full access to all AutoML resources	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
`roles/ automl.editor`	AutoML Editor ^Beta	Editor of all AutoML resources	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
`roles/ automl.predictor`	AutoML Predictor ^Beta	Predict using models	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list
`roles/ automl.viewer`	AutoML Viewer ^Beta	Viewer of all AutoML resources	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list

BigQuery roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ bigquery.admin`	BigQuery Admin	Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.connectionAdmin`	BigQuery Connection Admin ^Beta		bigquery.connections.*
`roles/ bigquery.connectionUser`	BigQuery Connection User ^Beta		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/ bigquery.dataEditor`	BigQuery Data Editor	When applied to a dataset, dataEditor provides permissions to: Read the dataset's metadata and to list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.dataOwner`	BigQuery Data Owner	When applied to a dataset, dataOwner provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.dataViewer`	BigQuery Data Viewer	When applied to a dataset, dataViewer provides permissions to: Read the dataset's metadata and to list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/ bigquery.jobUser`	BigQuery Job User	Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs.	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.metadataViewer`	BigQuery Metadata Viewer	When applied at the project or organization level, metadataViewer provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ bigquery.readSessionUser`	BigQuery Read Session User ^Beta	Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ bigquery.user`	BigQuery User	Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the `bigquery.dataOwner` role for these new datasets.	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Bigtable roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ bigtable.admin`	Bigtable Administrator	Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/ bigtable.reader`	Bigtable Reader	Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/ bigtable.user`	Bigtable User	Provides read-write access to the data stored within tables. Intended for application developers or service accounts.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/ bigtable.viewer`	Bigtable Viewer	Provides no data access. Intended as a minimal set of permissions to access the GCP Console for Cloud Bigtable.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance

Billing roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ billing.admin`	Billing Account Administrator	Provides access to see and manage all aspects of billing accounts.	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Billing Account
`roles/ billing.creator`	Billing Account Creator	Provides access to create billing accounts.	billing.accounts.create resourcemanager.organizations.get	Project
`roles/ billing.projectManager`	Project Billing Manager	Provides access to assign a project's billing account or disable its billing.	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Project
`roles/ billing.user`	Billing Account User	Provides access to associate projects with billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	Billing Account
`roles/ billing.viewer`	Billing Account Viewer	View billing account cost information and transactions.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list	Organization Billing Account

Binary Authorization roles

Role	Title	Description	Permissions
`roles/ binaryauthorization.attestorsAdmin`	Binary Authorization Attestor Admin ^Beta	Adminstrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ binaryauthorization.attestorsEditor`	Binary Authorization Attestor Editor ^Beta	Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/ binaryauthorization.attestorsVerifier`	Binary Authorization Attestor Image Verifier ^Beta	Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/ binaryauthorization.attestorsViewer`	Binary Authorization Attestor Viewer ^Beta	Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ binaryauthorization.policyAdmin`	Binary Authorization Policy Administrator ^Beta	Administrator of Binary Authorization Policy	binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ binaryauthorization.policyEditor`	Binary Authorization Policy Editor ^Beta	Editor of Binary Authorization Policy	binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
`roles/ binaryauthorization.policyViewer`	Binary Authorization Policy Viewer ^Beta	Viewer of Binary Authorization Policy	binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Cloud Asset roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudasset.viewer`	Cloud Asset Viewer	Read only access to cloud assets metadata	cloudasset.*

Cloud Build roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudbuild.builds.builder`	Cloud Build Service Account	Can perform builds	cloudbuild.* logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/ cloudbuild.builds.editor`	Cloud Build Editor	Provides access to create and cancel builds.	cloudbuild.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ cloudbuild.builds.viewer`	Cloud Build Viewer	Provides access to view builds.	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Data Fusion roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ datafusion.admin`	Cloud Data Fusion Admin ^Beta	Full access to Cloud Data Fusion Instances and related resources.	datafusion.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ datafusion.viewer`	Cloud Data Fusion Viewer ^Beta	Read-only access to Cloud Data Fusion Instances and related resources.	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list

Stackdriver Debugger roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ clouddebugger.agent`	Stackdriver Debugger Agent ^Beta	Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create	Service Account
`roles/ clouddebugger.user`	Stackdriver Debugger User ^Beta	Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list	Project

Cloud Functions roles

Role	Title	Description	Permissions
`roles/ cloudfunctions.admin`	Cloud Functions Admin ^Beta	Full access to functions, operations and locations.	cloudfunctions.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ cloudfunctions.developer`	Cloud Functions Developer ^Beta	Read and write access to all functions-related resources.	cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ cloudfunctions.invoker`	Cloud Functions Invoker ^Beta	Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
`roles/ cloudfunctions.viewer`	Cloud Functions Viewer ^Beta	Read-only access to functions and locations.	cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud IAP roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ iap.admin`	IAP Policy Admin	Provides full access to Cloud Identity-Aware Proxy resources.	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.* iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.* iap.webTypes.*	Project
`roles/ iap.httpsResourceAccessor`	IAP-secured Web App User	Provides permission to access HTTPS resources which use Cloud Identity-Aware Proxy.	iap.webServiceVersions.accessViaIAP	Project
`roles/ iap.tunnelResourceAccessor`	IAP-secured Tunnel User ^Beta	Access Tunnel resources which use Identity-Aware Proxy	iap.tunnelInstances.accessViaIAP

Cloud IoT roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudiot.admin`	Cloud IoT Admin	Full control of all Cloud IoT resources and permissions.	cloudiot.* cloudiottoken.*	Device
`roles/ cloudiot.deviceController`	Cloud IoT Device Controller	Access to update the configuration of devices, but not to create or delete devices.	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/ cloudiot.editor`	Cloud IoT Editor	Read-write access to all Cloud IoT resources.	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*	Device
`roles/ cloudiot.provisioner`	Cloud IoT Provisioner	Access to create and delete devices from registries, but not to modify the registries.	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/ cloudiot.viewer`	Cloud IoT Viewer	Read-only access to all Cloud IoT resources.	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device

Cloud Talent Solution roles

Role	Title	Description	Permissions
`roles/ cloudjobdiscovery.admin`	Admin	Access to Cloud Job Discovery Self-Service Tools	cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudjobdiscovery.jobsEditor`	Job Editor	Write access to all Cloud Job Discovery data.	cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudjobdiscovery.jobsViewer`	Job Viewer	Read access to all Cloud Job Discovery data.	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudjobdiscovery.profilesEditor`	Profile Editor	Write access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudjobdiscovery.profilesViewer`	Profile Viewer	Read access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list

Cloud KMS roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudkms.admin`	Cloud KMS Admin	Provides full access to Cloud KMS resources, except encrypt and decrypt operations.	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.keyRings.* resourcemanager.projects.get	CryptoKey
`roles/ cloudkms.cryptoKeyDecrypter`	Cloud KMS CryptoKey Decrypter	Provides ability to use Cloud KMS resources for decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt resourcemanager.projects.get	CryptoKey
`roles/ cloudkms.cryptoKeyEncrypter`	Cloud KMS CryptoKey Encrypter	Provides ability to use Cloud KMS resources for encrypt operations only.	cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/ cloudkms.cryptoKeyEncrypterDecrypter`	Cloud KMS CryptoKey Encrypter/Decrypter	Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/ cloudkms.publicKeyViewer`	Cloud KMS CryptoKey Public Key Viewer ^Beta	Enables GetPublicKey operations	cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get
`roles/ cloudkms.signer`	Cloud KMS CryptoKey Signer ^Beta	Enables the AsymmetricSign operation	cloudkms.cryptoKeyVersions.useToSign resourcemanager.projects.get
`roles/ cloudkms.signerVerifier`	Cloud KMS CryptoKey Signer/Verifier ^Beta	Enables AsymmetricSign, and GetPublicKey operations	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get

Cloud Migration roles

Role	Title	Description	Permissions
`roles/ cloudmigration.inframanager`	Velostrata Manager ^Beta	Ability to create and manage Compute VMs to run Velostrata Infrastructure	cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
`roles/ cloudmigration.storageaccess`	Velostrata Storage Access ^Beta	Ability to access migration storage	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/ cloudmigration.velostrataconnect`	Velostrata Manager Connection Agent ^Beta	Ability to set up connection between Velostrata Manager and Google	cloudmigration.*

Cloud Private Catalog roles

Role	Title	Description	Permissions
`roles/ cloudprivatecatalog.consumer`	Catalog Consumer ^Beta	Can browse catalogs in the target resource context.	cloudprivatecatalog.*
`roles/ cloudprivatecatalogproducer.admin`	Catalog Admin ^Beta	Can manage catalog and view its associations.	cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get
`roles/ cloudprivatecatalogproducer.manager`	Catalog Manager ^Beta	Can manage associations between a catalog and a target resource.	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get

Stackdriver Profiler roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudprofiler.agent`	Stackdriver Profiler Agent ^Beta	Stackdriver Profiler agents are allowed to register and provide the profiling data.	cloudprofiler.profiles.create cloudprofiler.profiles.update
`roles/ cloudprofiler.user`	Stackdriver Profiler User ^Beta	Stackdriver Profiler users are allowed to query and view the profiling data.	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Scheduler roles

Role	Title	Description	Permissions
`roles/ cloudscheduler.admin`	Cloud Scheduler Admin ^Beta	Full access to jobs and executions.	cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudscheduler.jobRunner`	Cloud Scheduler Job Runner ^Beta	Access to run jobs.	cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudscheduler.viewer`	Cloud Scheduler Viewer ^Beta	Get and list access to jobs, executions, and locations.	cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list

Cloud Security Scanner roles

Role	Title	Description	Permissions
`roles/ cloudsecurityscanner.editor`	Cloud Security Scanner Editor	Full access to all Cloud Security Scanner resources	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ cloudsecurityscanner.runner`	Cloud Security Scanner Runner	Read access to Scan and ScanRun, plus the ability to start scans	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run
`roles/ cloudsecurityscanner.viewer`	Cloud Security Scanner Viewer	Read access to all Cloud Security Scanner resources	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Services roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ servicebroker.admin`	Service Broker Admin ^Beta	Full access to ServiceBroker resources.	servicebroker.*
`roles/ servicebroker.operator`	Service Broker Operator ^Beta	Operational access to the ServiceBroker resources.	servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update

Cloud SQL roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudsql.admin`	Cloud SQL Admin	Provides full control of Cloud SQL resources.	cloudsql.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/ cloudsql.client`	Cloud SQL Client	Provides connectivity access to Cloud SQL instances.	cloudsql.instances.connect cloudsql.instances.get	Project
`roles/ cloudsql.editor`	Cloud SQL Editor	Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/ cloudsql.viewer`	Cloud SQL Viewer	Provides read-only access to Cloud SQL resources.	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Cloud Tasks roles

Role	Title	Description	Permissions
`roles/ cloudtasks.admin`	Cloud Tasks Admin ^Beta	Full access to queues and tasks.	cloudtasks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtasks.enqueuer`	Cloud Tasks Enqueuer ^Beta	Access to create tasks.	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtasks.queueAdmin`	Cloud Tasks Queue Admin ^Beta	Admin access to queues.	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtasks.taskDeleter`	Cloud Tasks Task Deleter ^Beta	Access to delete tasks.	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtasks.taskRunner`	Cloud Tasks Task Runner ^Beta	Access to run tasks.	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtasks.viewer`	Cloud Tasks Viewer ^Beta	Get and list access to tasks, queues, and locations.	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Trace roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudtrace.admin`	Cloud Trace Admin	Provides full access to the Trace console and read-write access to traces.	cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ cloudtrace.agent`	Cloud Trace Agent	For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.	cloudtrace.traces.patch	Project
`roles/ cloudtrace.user`	Cloud Trace User	Provides full access to the Trace console and read access to traces.	cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Translation roles

Role	Title	Description	Permissions
`roles/ cloudtranslate.admin`	Cloud Translation API Admin ^Beta	Full access to all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtranslate.editor`	Cloud Translation API Editor ^Beta	Editor of all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.generalModels.batchPredict cloudtranslate.generalModels.get cloudtranslate.generalModels.predict cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.create cloudtranslate.glossaries.delete cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.predict cloudtranslate.locations.get cloudtranslate.locations.list cloudtranslate.operations.cancel cloudtranslate.operations.delete cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtranslate.user`	Cloud Translation API User ^Beta	User of Cloud Translation and AutoML models	automl.models.get automl.models.predict cloudtranslate.generalModels.batchPredict cloudtranslate.generalModels.get cloudtranslate.generalModels.predict cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.predict cloudtranslate.locations.get cloudtranslate.locations.list cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
`roles/ cloudtranslate.viewer`	Cloud Translation API Viewer ^Beta	Viewer of all Translation resources	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.get cloudtranslate.locations.list cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Codelab API Keys roles

Role	Title	Description	Permissions
`roles/ codelabapikeys.admin`	Codelab ApiKeys Admin ^Beta	Full access to API keys	resourcemanager.projects.get resourcemanager.projects.list
`roles/ codelabapikeys.editor`	Codelab API Keys Editor ^Beta	This role can view and edit all properties of API keys.	resourcemanager.projects.get resourcemanager.projects.list
`roles/ codelabapikeys.viewer`	Codelab API Keys Viewer ^Beta	This role can view all properties except change history of API keys.	resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ composer.admin`	Composer Administrator	Provides full control of Cloud Composer resources.	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/ composer.environmentAndStorageObjectAdmin`	Environment and Storage Object Administrator	Provides full control of Cloud Composer resources and of the objects in all project buckets.	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*	Project
`roles/ composer.environmentAndStorageObjectViewer`	Environment User and Storage Object Viewer	Provides the permissions nessesary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list	Project
`roles/ composer.user`	Composer User	Provides the permissions necessary to list and get Cloud Composer environments and operations.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/ composer.worker`	Composer Worker	Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.	cloudbuild.* container.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*	Project

Compute Engine roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ compute.admin`	Compute Admin	Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role.	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta
`roles/ compute.imageUser`	Compute Image User	Permission to list and read images without having other permissions on the image. Granting the `compute.imageUser` role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Image^Beta
`roles/ compute.instanceAdmin`	Compute Instance Admin (beta)	Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM^BETA settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, snapshot ^Beta
`roles/ compute.instanceAdmin.v1`	Compute Instance Admin (v1)	Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ compute.loadBalancerAdmin`	Compute Load Balancer Admin ^Beta	Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant the load balancing team's group the `loadBalancerAdmin` role.	compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/ compute.networkAdmin`	Compute Network Admin	Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team's group the `networkAdmin` role.	compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.regionBackendServices.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/ compute.networkUser`	Compute Network User	Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/ compute.networkViewer`	Compute Network Viewer	Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant that software's service account the `networkViewer` role.	compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.networks.get compute.networks.list compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/ compute.osAdminLogin`	Compute OS Admin Login	Access to log in to a Compute Engine instance as an administrator user.	compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/ compute.osLogin`	Compute OS Login	Access to log in to a Compute Engine instance as a standard user.	compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/ compute.osLoginExternalUser`	Compute OS Login External User	Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.	compute.oslogin.*	Organization
`roles/ compute.securityAdmin`	Compute Security Admin	Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM^BETA settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team's group the `securityAdmin` role.	compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.list compute.networks.updatePolicy compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/ compute.storageAdmin`	Compute Storage Admin	Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant their account the `storageAdmin` role on the project.	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, snapshot ^Beta
`roles/ compute.viewer`	Compute Viewer	Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.list compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta
`roles/ compute.xpnAdmin`	Compute Shared VPC Admin	Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. This role can only be granted on the organization by an organization admin. Google Cloud Platform recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the `compute.networkUser` role to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.	compute.globalOperations.get compute.globalOperations.list compute.organizations.* compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Organization

Kubernetes Engine roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ container.admin`	Kubernetes Engine Admin	Provides access to full management of Container Clusters and their Kubernetes API objects.	container.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ container.clusterAdmin`	Kubernetes Engine Cluster Admin	Provides access to management of Container Clusters.	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ container.clusterViewer`	Kubernetes Engine Cluster Viewer	Read-only access to Kubernetes Clusters.	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ container.developer`	Kubernetes Engine Developer	Provides full access to Kubernetes API objects inside Container Clusters.	container.apiServices.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpoints.* container.events.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.limitRanges.* container.localSubjectAccessReviews.* container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ container.hostServiceAgentUser`	Kubernetes Engine Host Service Agent User	Use access of the Kubernetes Engine Host Service Agent.	compute.firewalls.get container.hostServiceAgent.*
`roles/ container.viewer`	Kubernetes Engine Viewer	Provides read-only access to GKE resources.	container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	Project

Container Analysis roles

Role	Title	Description	Permissions
`roles/ containeranalysis.admin`	Container Analysis Admin ^Alpha	Access to all resources.	resourcemanager.projects.get resourcemanager.projects.list
`roles/ containeranalysis.notes.attacher`	Container Analysis Notes Attacher ^Alpha	Can attach occurrences to notes
`roles/ containeranalysis.notes.editor`	Container Analysis Notes Editor ^Alpha	Can edit container analysis notes	resourcemanager.projects.get resourcemanager.projects.list
`roles/ containeranalysis.notes.viewer`	Container Analysis Notes Viewer ^Alpha	Can view container analysis notes	resourcemanager.projects.get resourcemanager.projects.list
`roles/ containeranalysis.occurrences.editor`	Container Analysis Occurrences Editor ^Alpha	Can edit container analysis occurrences	resourcemanager.projects.get resourcemanager.projects.list
`roles/ containeranalysis.occurrences.viewer`	Container Analysis Occurrences Viewer ^Alpha	Can view container analysis occurrences	resourcemanager.projects.get resourcemanager.projects.list

Data Catalog roles

Role	Title	Description	Permissions
`roles/ datacatalog.admin`	Data Catalog Admin ^Beta	Full access to all DataCatalog resources	bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
`roles/ datacatalog.tagTemplateCreator`	Data Catalog TagTemplate Creator ^Beta	Can create new tag templates	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
`roles/ datacatalog.tagTemplateOwner`	Data Catalog TagTemplate Owner ^Beta	Full acess to tag templates	datacatalog.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ datacatalog.tagTemplateUser`	Data Catalog TagTemplate User ^Beta	Can use tag templates to tag resources	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
`roles/ datacatalog.tagTemplateViewer`	Data Catalog TagTemplate Viewer ^Beta	Read access to templates and tags created using the templates	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
`roles/ datacatalog.viewer`	Data Catalog Viewer ^Beta	View resources in DataCatalog	bigquery.datasets.get bigquery.models.getMetadata bigquery.tables.get datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list

Dataflow roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ dataflow.admin`	Dataflow Admin	Minimal role for creating and managing dataflow jobs.	compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
`roles/ dataflow.developer`	Dataflow Developer	Provides the permissions necessary to execute and manipulate Cloud Dataflow jobs.	dataflow.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ dataflow.viewer`	Dataflow Viewer	Provides read-only access to all Cloud Dataflow-related resources.	dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ dataflow.worker`	Dataflow Worker	Provides the permissions necessary for a Compute Engine service account to execute work units for a Cloud Dataflow pipeline.	compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get	Project

Cloud Data Labeling roles

Role	Title	Description	Permissions
`roles/ datalabeling.admin`	DataLabeling Service Admin ^Beta	Full access to all DataLabeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ datalabeling.editor`	DataLabeling Service Editor ^Beta	Editor of all DataLabeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ datalabeling.viewer`	DataLabeling Service Viewer ^Beta	Viewer of all DataLabeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Dataprep roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ dataprep.projects.user`	Dataprep User ^Beta	Use of Dataprep.	dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dataproc roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ dataproc.admin`	Dataproc Administrator	Full control of Dataproc resources.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ dataproc.editor`	Dataproc Editor	Provides the permissions necessary for viewing the resources required to manage Cloud Dataproc, including machine types, networks, projects and zones.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ dataproc.viewer`	Dataproc Viewer	Provides read-only access to Cloud Dataproc resources.	compute.machineTypes.get compute.regions.* compute.zones.get dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ dataproc.worker`	Dataproc Worker	Worker access to Dataproc. Intended for service accounts.	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.objects.*

Datastore roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ datastore.importExportAdmin`	Cloud Datastore Import Export Admin	Provides full access to manage imports and exports.	appengine.applications.get datastore.databases.export datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ datastore.indexAdmin`	Cloud Datastore Index Admin	Provides full access to manage index definitions.	appengine.applications.get datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ datastore.owner`	Cloud Datastore Owner	Provides full access to Cloud Datastore resources.	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ datastore.user`	Cloud Datastore User	Provides read/write access to data in a Cloud Datastore database.	appengine.applications.get datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ datastore.viewer`	Cloud Datastore Viewer	Provides read access to Cloud Datastore resources.	appengine.applications.get datastore.databases.get datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	Project

Deployment Manager roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ deploymentmanager.editor`	Deployment Manager Editor	Provides the permissions necessary to create and manage deployments.	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/ deploymentmanager.typeEditor`	Deployment Manager Type Editor	Provides read and write access to all Type Registry resources.	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	Project
`roles/ deploymentmanager.typeViewer`	Deployment Manager Type Viewer	Provides read-only access to all Type Registry resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	Project
`roles/ deploymentmanager.viewer`	Deployment Manager Viewer	Provides read-only access to all Cloud Deployment Manager-related resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Dialogflow roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ dialogflow.admin`	Dialogflow API Admin	Full access to Dialogflow (API only) resources. Use the `roles/owner` or `roles/editor` primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console).	dialogflow.* resourcemanager.projects.get	Project
`roles/ dialogflow.client`	Dialogflow API Client	Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.).	dialogflow.contexts.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*	Project
`roles/ dialogflow.consoleAgentEditor`	Dialogflow Console Agent Editor	Can edit agent in Dialogflow Console	dialogflow.* resourcemanager.projects.get
`roles/ dialogflow.reader`	Dialogflow API Reader	Read access to Dialogflow (API only) resources. Cannot detect intent. Use the `roles/viewer` primitive role for similar access to both API and Dialogflow console.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.search dialogflow.contexts.get dialogflow.contexts.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.intents.get dialogflow.intents.list dialogflow.operations.* dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list resourcemanager.projects.get	Project

Cloud DLP roles

Role	Title	Description	Permissions
`roles/ dlp.admin`	DLP Administrator	Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
`roles/ dlp.analyzeRiskTemplatesEditor`	DLP Analyze Risk Templates Editor	Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
`roles/ dlp.analyzeRiskTemplatesReader`	DLP Analyze Risk Templates Reader	Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
`roles/ dlp.deidentifyTemplatesEditor`	DLP De-identify Templates Editor	Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
`roles/ dlp.deidentifyTemplatesReader`	DLP De-identify Templates Reader	Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
`roles/ dlp.inspectTemplatesEditor`	DLP Inspect Templates Editor	Edit DLP inspect templates.	dlp.inspectTemplates.*
`roles/ dlp.inspectTemplatesReader`	DLP Inspect Templates Reader	Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
`roles/ dlp.jobTriggersEditor`	DLP Job Triggers Editor	Edit job triggers configurations.	dlp.jobTriggers.*
`roles/ dlp.jobTriggersReader`	DLP Job Triggers Reader	Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
`roles/ dlp.jobsEditor`	DLP Jobs Editor	Edit and create jobs	dlp.jobs.* dlp.kms.*
`roles/ dlp.jobsReader`	DLP Jobs Reader	Read jobs	dlp.jobs.get dlp.jobs.list
`roles/ dlp.reader`	DLP Reader	Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/ dlp.storedInfoTypesEditor`	DLP Stored InfoTypes Editor	Edit DLP stored info types.	dlp.storedInfoTypes.*
`roles/ dlp.storedInfoTypesReader`	DLP Stored InfoTypes Reader	Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/ dlp.user`	DLP User	Inspect, Redact, and De-identify Content	dlp.kms.* serviceusage.services.use

DNS roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ dns.admin`	DNS Administrator	Provides read-write access to all Cloud DNS resources.	compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ dns.peer`	DNS Peer ^Beta	Access to target networks with DNS peering zones	dns.networks.targetWithPeeringZone
`roles/ dns.reader`	DNS Reader	Provides read-only access to all Cloud DNS resources.	compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.list resourcemanager.projects.get resourcemanager.projects.list	Project

Endpoints roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ endpoints.portalAdmin`	Endpoints Portal Admin ^Beta	Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the GCP Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.	endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get	Project

Error Reporting roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ errorreporting.admin`	Error Reporting Admin ^Beta	Provides full access to Error Reporting data.	cloudnotifications.* errorreporting.*	Project
`roles/ errorreporting.user`	Error Reporting User ^Beta	Provides the permissions to read and write Error Reporting data, except for sending new error events.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.*	Project
`roles/ errorreporting.viewer`	Error Reporting Viewer ^Beta	Provides read-only access to Error Reporting data.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.*	Project
`roles/ errorreporting.writer`	Errors Writer ^Beta	Provides the permissions to send error events to Error Reporting.	errorreporting.errorEvents.create	Service Account

Cloud Filestore roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ file.editor`	Cloud Filestore Editor ^Beta	Read-write access to Filestore instances and related resources.	file.*
`roles/ file.viewer`	Cloud Filestore Viewer ^Beta	Read-only access to Filestore instances and related resources.	file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list file.snapshots.get file.snapshots.list

Firebase roles

Role	Title	Description	Permissions
`roles/ cloudtestservice.testAdmin`	Firebase Test Lab Admin	Full access to all Test Lab features	cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.get storage.objects.list
`roles/ cloudtestservice.testViewer`	Firebase Test Lab Viewer	Read access to Test Lab features	cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
`roles/ firebase.admin`	Firebase Admin ^Beta	Full access to Firebase products.	appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudconfig.* cloudfunctions.* cloudmessaging.* cloudnotifications.* cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.* firebase.* firebaseabt.* firebaseanalytics.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebaseml.* firebasenotifications.* firebaseperformance.* firebasepredictions.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.*
`roles/ firebase.analyticsAdmin`	Firebase Analytics Admin ^Beta	Full access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/ firebase.analyticsViewer`	Firebase Analytics Viewer ^Beta	Read access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/ firebase.developAdmin`	Firebase Develop Admin ^Beta	Full access to Firebase Develop products and Analytics.	appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudfunctions.* cloudnotifications.* datastore.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.*
`roles/ firebase.developViewer`	Firebase Develop Viewer ^Beta	Read access to Firebase Develop products and Analytics.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
`roles/ firebase.growthAdmin`	Firebase Grow Admin ^Beta	Full access to Firebase Grow products and Analytics.	clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.* cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasenotifications.* firebasepredictions.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ firebase.growthViewer`	Firebase Grow Viewer ^Beta	Read access to Firebase Grow products and Analytics.	cloudconfig.configs.get cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list firebasepredictions.predictions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ firebase.qualityAdmin`	Firebase Quality Admin ^Beta	Full access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ firebase.qualityViewer`	Firebase Quality Viewer ^Beta	Read access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebaseextensions.configs.list firebaseperformance.data.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/ firebase.viewer`	Firebase Viewer ^Beta	Read-only access to Firebase products.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.* firebasepredictions.predictions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list

Firebase Crash Reporting roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ firebasecrash.symbolMappingsAdmin`	Firebase Crash Symbol Uploader	Full read/write access to symbol mapping file resources for Firebase Crash Reporting.	firebase.clients.get resourcemanager.projects.get

Genomics roles

Role	Title	Description	Permissions
`roles/ genomics.admin`	Genomics Admin	Full access to genomics datasets and operations.	genomics.*
`roles/ genomics.editor`	Genomics Editor	Access to read and edit genomics datasets and operations.	genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.*
`roles/ genomics.pipelinesRunner`	Genomics Pipelines Runner	Full access to operate on genomics pipelines.	genomics.operations.*
`roles/ genomics.viewer`	Genomics Viewer	Access to view genomics datasets and operations.	genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list

Cloud Healthcare roles

Role	Title	Description	Permissions
`roles/ healthcare.annotationEditor`	Healthcare Annotation Editor ^Beta	Create, delete, update, read and list annotations.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.annotationReader`	Healthcare Annotation Reader ^Beta	Read and list annotations in an Annotation store.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.annotationStoreAdmin`	Healthcare Annotation Administrator ^Beta	Administer Annotation stores.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.annotationStoreViewer`	Healthcare Annotation Store Viewer ^Beta	List Annotation Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.datasetAdmin`	Healthcare Dataset Administrator ^Beta	Administer Healthcare Datasets.	healthcare.datasets.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.datasetViewer`	Healthcare Dataset Viewer ^Beta	List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.dicomEditor`	Healthcare DICOM Editor ^Beta	Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.dicomStoreAdmin`	Healthcare DICOM Administrator ^Beta	Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.dicomStoreViewer`	Healthcare DICOM Store Viewer ^Beta	List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.dicomViewer`	Healthcare DICOM Viewer ^Beta	Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.fhirResourceEditor`	Healthcare FHIR Resource Editor ^Beta	Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.update healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.fhirResourceReader`	Healthcare FHIR Resource Reader ^Beta	Read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.fhirStoreAdmin`	Healthcare FHIR Administrator ^Beta	Administer FHIR resource stores.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.create healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.fhirStoreViewer`	Healthcare FHIR Store Viewer ^Beta	List FHIR Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.hl7V2Consumer`	Healthcare HL7v2 Message Consumer ^Beta	List and read HL7v2 messages, update message labels, and publish new messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.hl7V2Editor`	Healthcare HL7v2 Message Editor ^Beta	Read, write, and delete access to HL7v2 messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.hl7V2Ingest`	Healthcare HL7v2 Message Ingest ^Beta	Ingest HL7v2 messages received from a source network.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.hl7V2StoreAdmin`	Healthcare HL7v2 Store Administrator ^Beta	Administer HL7v2 Stores.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ healthcare.hl7V2StoreViewer`	Healthcare HL7v2 Store Viewer ^Beta	View HL7v2 Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list

IAM roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ iam.securityAdmin`	Security Admin	Security admin role, with permissions to get and set any IAM policy.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.setIamPolicy accesscontextmanager.accessZones.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.setIamPolicy accesscontextmanager.servicePerimeters.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.datasets.setIamPolicy automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.locations.setIamPolicy automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.models.setIamPolicy automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.* bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.jobs.list bigquery.models.list bigquery.routines.list bigquery.savedqueries.list bigquery.tables.list bigtable.appProfiles.list bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.instances.setIamPolicy bigtable.locations.* bigtable.tables.list billing.accounts.getIamPolicy billing.accounts.list billing.accounts.setIamPolicy billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.attestors.setIamPolicy binaryauthorization.policy.getIamPolicy binaryauthorization.policy.setIamPolicy clientauthconfig.brands.list clientauthconfig.clients.list cloudbuild.builds.list clouddebugger.breakpoints.list clouddebugger.debuggees.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.functions.setIamPolicy cloudfunctions.locations.* cloudfunctions.operations.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudiot.registries.setIamPolicy cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.keyRings.setIamPolicy cloudnotifications.* cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.catalogs.setIamPolicy cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.accounts.setIamPolicy cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.queues.setIamPolicy cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.generalModels.getIamPolicy cloudtranslate.generalModels.setIamPolicy cloudtranslate.glossaries.getIamPolicy cloudtranslate.glossaries.list cloudtranslate.glossaries.setIamPolicy cloudtranslate.languageDetectionModels.getIamPolicy cloudtranslate.languageDetectionModels.setIamPolicy cloudtranslate.locations.getIamPolicy cloudtranslate.locations.list cloudtranslate.locations.setIamPolicy cloudtranslate.operations.getIamPolicy cloudtranslate.operations.list cloudtranslate.operations.setIamPolicy composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.disks.setIamPolicy compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.images.setIamPolicy compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instances.getIamPolicy compute.instances.list compute.instances.setIamPolicy compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenseCodes.setIamPolicy compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.maintenancePolicies.setIamPolicy compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeGroups.setIamPolicy compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTemplates.setIamPolicy compute.nodeTypes.list compute.regionBackendServices.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.setIamPolicy compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.setIamPolicy compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.setIamPolicy compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zoneOperations.setIamPolicy compute.zones.list container.apiServices.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpoints.list container.events.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.limitRanges.list container.localSubjectAccessReviews.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.scheduledJobs.list container.secrets.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list datacatalog.tagTemplates.getIamPolicy datacatalog.tagTemplates.setIamPolicy dataflow.jobs.list dataflow.messages.* datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.setIamPolicy datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list dataproc.agents.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.clusters.setIamPolicy dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.jobs.setIamPolicy dataproc.operations.getIamPolicy dataproc.operations.list dataproc.operations.setIamPolicy dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataproc.workflowTemplates.setIamPolicy datastore.databases.getIamPolicy datastore.databases.list datastore.databases.setIamPolicy datastore.entities.list datastore.indexes.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.namespaces.setIamPolicy datastore.operations.list datastore.statistics.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.deployments.setIamPolicy deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.contexts.list dialogflow.entityTypes.list dialogflow.intents.list dialogflow.sessionEntityTypes.list dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.storedInfoTypes.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.policies.setIamPolicy dns.resourceRecordSets.list errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* file.instances.list file.locations.list file.operations.list file.snapshots.list firebase.links.list firebaseabt.experiments.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.datasets.setIamPolicy genomics.operations.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.datasets.setIamPolicy healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.hl7V2Stores.setIamPolicy healthcare.operations.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.* iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.* iap.webTypes.* logging.exclusions.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.sinks.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.domains.setIamPolicy managedidentities.locations.list managedidentities.operations.list ml.jobs.getIamPolicy ml.jobs.list ml.jobs.setIamPolicy ml.locations.list ml.models.getIamPolicy ml.models.list ml.models.setIamPolicy ml.operations.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.beacons.setIamPolicy proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list proximitybeacon.namespaces.setIamPolicy pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.snapshots.setIamPolicy pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.subscriptions.setIamPolicy pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.getIamPolicy resourcemanager.organizations.setIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy run.configurations.list run.locations.* run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.services.setIamPolicy runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.configs.setIamPolicy runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.variables.setIamPolicy runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list runtimeconfig.waiters.setIamPolicy securitycenter.assets.list securitycenter.findings.list securitycenter.sources.getIamPolicy securitycenter.sources.list securitycenter.sources.setIamPolicy servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.bindings.setIamPolicy servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.catalogs.setIamPolicy servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list servicebroker.instances.setIamPolicy serviceconsumermanagement.tenancyu.list servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list servicemanagement.consumerSettings.setIamPolicy servicemanagement.services.getIamPolicy servicemanagement.services.list servicemanagement.services.setIamPolicy servicenetworking.operations.list serviceusage.apiKeys.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list source.repos.setIamPolicy spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.databases.setIamPolicy spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.instances.setIamPolicy spanner.sessions.list storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.objects.getIamPolicy storage.objects.list storage.objects.setIamPolicy storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list
`roles/ iam.securityReviewer`	Security Reviewer	Provides permissions to list all resources and Cloud IAM policies on them.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.* bigquery.connections.getIamPolicy bigquery.connections.list bigquery.datasets.getIamPolicy bigquery.jobs.list bigquery.models.list bigquery.routines.list bigquery.savedqueries.list bigquery.tables.list bigtable.appProfiles.list bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.locations.* bigtable.tables.list billing.accounts.getIamPolicy billing.accounts.list billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.policy.getIamPolicy clientauthconfig.brands.list clientauthconfig.clients.list cloudbuild.builds.list clouddebugger.breakpoints.list clouddebugger.debuggees.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudnotifications.* cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.generalModels.getIamPolicy cloudtranslate.glossaries.getIamPolicy cloudtranslate.glossaries.list cloudtranslate.languageDetectionModels.getIamPolicy cloudtranslate.locations.getIamPolicy cloudtranslate.locations.list cloudtranslate.operations.getIamPolicy cloudtranslate.operations.list composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.getIamPolicy compute.instances.list compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.list compute.regionBackendServices.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.list container.apiServices.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpoints.list container.events.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.limitRanges.list container.localSubjectAccessReviews.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.scheduledJobs.list container.secrets.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list datacatalog.tagTemplates.getIamPolicy dataflow.jobs.list dataflow.messages.* datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list dataproc.agents.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.operations.getIamPolicy dataproc.operations.list dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list datastore.databases.getIamPolicy datastore.databases.list datastore.entities.list datastore.indexes.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.operations.list datastore.statistics.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.contexts.list dialogflow.entityTypes.list dialogflow.intents.list dialogflow.sessionEntityTypes.list dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.storedInfoTypes.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.resourceRecordSets.list errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* file.instances.list file.locations.list file.operations.list file.snapshots.list firebase.links.list firebaseabt.experiments.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.operations.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.operations.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iap.tunnel.getIamPolicy iap.tunnelInstances.getIamPolicy iap.tunnelZones.getIamPolicy iap.web.getIamPolicy iap.webServiceVersions.getIamPolicy iap.webServices.getIamPolicy iap.webTypes.getIamPolicy logging.exclusions.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.sinks.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.list managedidentities.operations.list ml.jobs.getIamPolicy ml.jobs.list ml.locations.list ml.models.getIamPolicy ml.models.list ml.operations.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.topics.getIamPolicy pubsub.topics.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.organizations.getIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.list run.locations.* run.revisions.list run.routes.list run.services.getIamPolicy run.services.list runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list securitycenter.assets.list securitycenter.findings.list securitycenter.sources.getIamPolicy securitycenter.sources.list servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list serviceconsumermanagement.tenancyu.list servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list servicemanagement.services.getIamPolicy servicemanagement.services.list servicenetworking.operations.list serviceusage.apiKeys.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.list storage.buckets.getIamPolicy storage.buckets.list storage.objects.getIamPolicy storage.objects.list storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta

Roles roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ iam.organizationRoleAdmin`	Organization Role Administrator	Provides access to administer all custom roles in the organization and the projects below it.	iam.roles.* resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Organization
`roles/ iam.organizationRoleViewer`	Organization Role Viewer	Provides read access to all custom roles in the organization and the projects below it.	iam.roles.get iam.roles.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Project
`roles/ iam.roleAdmin`	Role Administrator	Provides access to all custom roles in the project.	iam.roles.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy	Project
`roles/ iam.roleViewer`	Role Viewer	Provides read access to all custom roles in the project.	iam.roles.get iam.roles.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy	Project

Service Accounts roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ iam.serviceAccountAdmin`	Service Account Admin	Create and manage service accounts.	iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iam.serviceAccounts.update resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/ iam.serviceAccountCreator`	Create Service Accounts	Access to create service accounts.	iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ iam.serviceAccountDeleter`	Delete Service Accounts	Access to delete service accounts.	iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ iam.serviceAccountKeyAdmin`	Service Account Key Admin	Create and manage (and rotate) service account keys.	iam.serviceAccountKeys.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/ iam.serviceAccountTokenCreator`	Service Account Token Creator	Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/ iam.serviceAccountUser`	Service Account User	Run operations as the service account.	iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/ iam.workloadIdentityUser`	Workload Identity User	Impersonate service accounts from GKE Workloads	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.list

Logging roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ logging.admin`	Logging Admin	Provides all permissions necessary to use all features of Stackdriver Logging.	logging.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ logging.configWriter`	Logs Configuration Writer	Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.	logging.exclusions.* logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/ logging.logWriter`	Logs Writer	Provides the permissions to write log entries.	logging.logEntries.create	Project
`roles/ logging.privateLogViewer`	Private Logs Viewer	Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.	logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.projects.get	Project
`roles/ logging.viewer`	Logs Viewer	Provides access to view logs.	logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.projects.get	Project

Cloud Managed Identities roles

Role	Title	Description	Permissions
`roles/ managedidentities.admin`	Google Cloud Managed Identities Admin ^Beta	Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.	managedidentities.* resourcemanager.projects.get resourcemanager.projects.list
`roles/ managedidentities.domainAdmin`	Google Cloud Managed Identities Domain Admin ^Beta	Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.	managedidentities.domains.attachTrust managedidentities.domains.delete managedidentities.domains.detachTrust managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.reconfigureTrust managedidentities.domains.resetpassword managedidentities.domains.update managedidentities.domains.validateTrust managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ managedidentities.viewer`	Google Cloud Managed Identities Viewer ^Beta	Read-only access to Google Cloud Managed Identities Domains and related resources.	managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list

Machine Learning Engine roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ ml.admin`	ML Engine Admin	Provides full access to AI Platform resources, and its jobs, operations, models, and versions.	ml.* resourcemanager.projects.get	Project
`roles/ ml.developer`	ML Engine Developer	Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get	Project
`roles/ ml.jobOwner`	ML Engine Job Owner	Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.	ml.jobs.*	Job
`roles/ ml.modelOwner`	ML Engine Model Owner	Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.	ml.models.* ml.versions.*	Model
`roles/ ml.modelUser`	ML Engine Model User	Provides permissions to read the model and its versions, and use them for prediction.	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict	Model
`roles/ ml.operationOwner`	ML Engine Operation Owner	Provides full access to all permissions for a particular operation resource.	ml.operations.*	Operation
`roles/ ml.viewer`	ML Engine Viewer	Provides read-only access to AI Platform resources.	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.versions.get ml.versions.list resourcemanager.projects.get	Project

Monitoring roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ monitoring.admin`	Monitoring Admin	Provides the same access as `roles/monitoring.editor`.	cloudnotifications.* monitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*	Project
`roles/ monitoring.alertPolicyEditor`	Monitoring AlertPolicy Editor ^Beta	Read/write access to alerting policies.	monitoring.alertPolicies.*
`roles/ monitoring.alertPolicyViewer`	Monitoring AlertPolicy Viewer ^Beta	Read-only access to alerting policies.	monitoring.alertPolicies.get monitoring.alertPolicies.list
`roles/ monitoring.editor`	Monitoring Editor	Provides full access to information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.* monitoring.dashboards.* monitoring.groups.* monitoring.metricDescriptors.* monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify monitoring.publicWidgets.* monitoring.timeSeries.* monitoring.uptimeCheckConfigs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*	Project
`roles/ monitoring.metricWriter`	Monitoring Metric Writer	Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics.	monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create	Project
`roles/ monitoring.notificationChannelEditor`	Monitoring NotificationChannel Editor ^Beta	Read/write access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify
`roles/ monitoring.notificationChannelViewer`	Monitoring NotificationChannel Viewer ^Beta	Read-only access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list
`roles/ monitoring.uptimeCheckConfigEditor`	Monitoring Uptime Check Configuration Editor ^Beta	Read/write access to uptime check configurations.	monitoring.uptimeCheckConfigs.*
`roles/ monitoring.uptimeCheckConfigViewer`	Monitoring Uptime Check Configuration Viewer ^Beta	Read-only access to uptime check configurations.	monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list
`roles/ monitoring.viewer`	Monitoring Viewer	Provides read-only access to get and list information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get	Project

Organization Policy roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ axt.admin`	Access Transparency Admin	Enable Access Transparency for Organization	axt.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ orgpolicy.policyAdmin`	Organization Policy Administrator	Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.	orgpolicy.*	Organization
`roles/ orgpolicy.policyViewer`	Organization Policy Viewer	Provides access to view Organization Policies on resources.	orgpolicy.policy.get	Organization

Other roles

Role	Title	Description	Permissions
`roles/ accesscontextmanager.policyAdmin`	Access Context Manager Admin	Full access to policies, access levels, and access zones	accesscontextmanager.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ accesscontextmanager.policyEditor`	Access Context Manager Editor	Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ accesscontextmanager.policyReader`	Access Context Manager Reader	Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/ mobilecrashreporting.symbolMappingsAdmin`	Firebase Crash Symbol Uploader (Deprecated)	Full read/write access to symbol mapping file resources for Firebase Crash Reporting.Deprecated in favor of firebasecrash.symbolMappingsAdmin	firebase.clients.get resourcemanager.projects.get
`roles/ remotebuildexecution.actionCacheWriter`	Remote Build Execution Action Cache Writer ^Beta	Remote Build Execution Action Cache Writer	remotebuildexecution.actions.set remotebuildexecution.blobs.create
`roles/ remotebuildexecution.artifactAdmin`	Remote Build Execution Artifact Admin ^Beta	Remote Build Execution Artifact Admin	remotebuildexecution.actions.create remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
`roles/ remotebuildexecution.artifactCreator`	Remote Build Execution Artifact Creator ^Beta	Remote Build Execution Artifact Creator	remotebuildexecution.actions.create remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
`roles/ remotebuildexecution.artifactViewer`	Remote Build Execution Artifact Viewer ^Beta	Remote Build Execution Artifact Viewer	remotebuildexecution.actions.get remotebuildexecution.blobs.get remotebuildexecution.logstreams.get
`roles/ remotebuildexecution.configurationAdmin`	Remote Build Execution Configuration Admin ^Beta	Remote Build Execution Configuration Admin	remotebuildexecution.instances.* remotebuildexecution.workerpools.*
`roles/ remotebuildexecution.configurationViewer`	Remote Build Execution Configuration Viewer ^Beta	Remote Build Execution Configuration Viewer	remotebuildexecution.instances.get remotebuildexecution.instances.list remotebuildexecution.workerpools.get remotebuildexecution.workerpools.list
`roles/ remotebuildexecution.logstreamWriter`	Remote Build Execution Logstream Writer ^Beta	Remote Build Execution Logstream Writer	remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
`roles/ remotebuildexecution.worker`	Remote Build Execution Worker ^Beta	Remote Build Execution Worker	remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
`roles/ resourcemanager.organizationCreator`	Organization Creator	Access to create and list organizations.
`roles/ runtimeconfig.admin`	Cloud RuntimeConfig Admin	Full access to RuntimeConfig resources.	runtimeconfig.*
`roles/ subscribewithgoogledeveloper.developer`	Subscribe with Google Developer ^Beta	Access DevTools for Subscribe with Google	resourcemanager.projects.get resourcemanager.projects.list subscribewithgoogledeveloper.*

Project roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ browser`	Browser	Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project.	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Project

Proximity Beacon roles

Role	Title	Description	Permissions
`roles/ proximitybeacon.attachmentEditor`	Beacon Attachment Editor	Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.	proximitybeacon.attachments.* proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.namespaces.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ proximitybeacon.attachmentPublisher`	Beacon Attachment Publisher	Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.	proximitybeacon.beacons.attach proximitybeacon.beacons.get proximitybeacon.beacons.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ proximitybeacon.attachmentViewer`	Beacon Attachment Viewer	Can view all attachments under a namespace; no beacon or namespace permissions.	proximitybeacon.attachments.get proximitybeacon.attachments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/ proximitybeacon.beaconEditor`	Beacon Editor	Necessary access to register, modify, and view beacons; no attachment or namespace permissions.	proximitybeacon.beacons.create proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.beacons.update resourcemanager.projects.get resourcemanager.projects.list

Pub/Sub roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ pubsub.admin`	Pub/Sub Admin	Provides full access to topics and subscriptions.	pubsub.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic
`roles/ pubsub.editor`	Pub/Sub Editor	Provides access to modify topics and subscriptions, and access to publish and consume messages.	pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic
`roles/ pubsub.publisher`	Pub/Sub Publisher	Provides access to publish messages to a topic.	pubsub.topics.publish	Topic
`roles/ pubsub.subscriber`	Pub/Sub Subscriber	Provides access to consume messages from a subscription and to attach subscriptions to a topic.	pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription	Topic
`roles/ pubsub.viewer`	Pub/Sub Viewer	Provides access to view topics and subscriptions.	pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic

Recommendations AI roles

Role	Title	Description	Permissions
`roles/ automlrecommendations.admin`	Recommendations AI Admin ^Beta	Full access to all Recommendations AI resources.	automlrecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/ automlrecommendations.adminViewer`	Recommendations AI Admin Viewer ^Beta	Viewer of all Recommendations AI resources.	automlrecommendations.apiKeys.list automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/ automlrecommendations.editor`	Recommendations AI Editor ^Beta	Editor of all Recommendations AI resources.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.list automlrecommendations.catalogItems.* automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/ automlrecommendations.viewer`	Recommendations AI Viewer ^Beta	Viewer of all Recommendations AI resources.	automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Memorystore Redis roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ redis.admin`	Cloud Memorystore Redis Admin ^Beta	Full control for all Cloud Memorystore resources.	compute.networks.list redis.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use	Instance
`roles/ redis.editor`	Cloud Memorystore Redis Editor ^Beta	Manage Cloud Memorystore instances. Can't create or delete instances.	compute.networks.list redis.instances.get redis.instances.list redis.instances.update redis.locations.* redis.operations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use	Instance
`roles/ redis.viewer`	Cloud Memorystore Redis Viewer ^Beta	Read-only access to all Cloud Memorystore resources.	redis.instances.get redis.instances.list redis.locations.* redis.operations.get redis.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use	Instance

Resource Manager roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ resourcemanager.folderAdmin`	Folder Admin	Provides all available permissions for working with folders.	orgpolicy.policy.get resourcemanager.folders.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.move resourcemanager.projects.setIamPolicy	Folder
`roles/ resourcemanager.folderCreator`	Folder Creator	Provides permissions needed to browse the hierarchy and create folders.	orgpolicy.policy.get resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/ resourcemanager.folderEditor`	Folder Editor	Provides permission to modify folders as well as to view a folder's Cloud IAM policy.	orgpolicy.policy.get resourcemanager.folders.delete resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.undelete resourcemanager.folders.update resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/ resourcemanager.folderIamAdmin`	Folder IAM Admin	Provides permissions to administer Cloud IAM policies on folders.	resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.setIamPolicy	Folder
`roles/ resourcemanager.folderMover`	Folder Mover	Provides permission to move projects and folders into and out of a parent Organization or folder.	resourcemanager.folders.move resourcemanager.projects.move	Folder
`roles/ resourcemanager.folderViewer`	Folder Viewer	Provides permission to get a folder and list the folders and projects below a resource.	orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/ resourcemanager.lienModifier`	Project Lien Modifier	Provides access to modify Liens on projects.	resourcemanager.projects.updateLiens	Project
`roles/ resourcemanager.organizationAdmin`	Organization Administrator	Access to administer all resources belonging to the organization.	orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy
`roles/ resourcemanager.organizationViewer`	Organization Viewer	Provides access to view an organization.	resourcemanager.organizations.get	Organization
`roles/ resourcemanager.projectCreator`	Project Creator	Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.	resourcemanager.organizations.get resourcemanager.projects.create	Folder
`roles/ resourcemanager.projectDeleter`	Project Deleter	Provides access to delete GCP projects.	resourcemanager.projects.delete	Folder
`roles/ resourcemanager.projectIamAdmin`	Project IAM Admin	Provides permissions to administer Cloud IAM policies on projects.	resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy	Project
`roles/ resourcemanager.projectMover`	Project Mover	Provides access to update and move projects.	resourcemanager.projects.get resourcemanager.projects.move resourcemanager.projects.update	Project

Cloud Run roles

Role	Title	Description	Permissions
`roles/ run.admin`	Cloud Run Admin ^Beta	Full control over all Cloud Run resources.	resourcemanager.projects.get resourcemanager.projects.list run.*
`roles/ run.invoker`	Cloud Run Invoker ^Beta	Can invoke a Cloud Run service.	run.routes.invoke
`roles/ run.viewer`	Cloud Run Viewer ^Beta	Can view the state of all Cloud Run resources, including IAM policies.	resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list

Security Center roles

Role	Title	Description	Permissions
`roles/ securitycenter.admin`	Security Center Admin	Admin(super user) access to security center	resourcemanager.organizations.get securitycenter.*
`roles/ securitycenter.adminEditor`	Security Center Admin Editor	Admin Read-write access to security center	resourcemanager.organizations.get securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update
`roles/ securitycenter.adminViewer`	Security Center Admin Viewer	Admin Read access to security center	resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list
`roles/ securitycenter.assetSecurityMarksWriter`	Security Center Asset Security Marks Writer	Write access to asset security marks	securitycenter.assetsecuritymarks.*
`roles/ securitycenter.assetsDiscoveryRunner`	Security Center Assets Discovery Runner	Run asset discovery access to assets	securitycenter.assets.runDiscovery
`roles/ securitycenter.assetsViewer`	Security Center Assets Viewer	Read access to assets	resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames
`roles/ securitycenter.findingSecurityMarksWriter`	Security Center Finding Security Marks Writer	Write access to finding security marks	securitycenter.findingsecuritymarks.*
`roles/ securitycenter.findingsEditor`	Security Center Findings Editor	Read-write access to findings	resourcemanager.organizations.get securitycenter.findings.* securitycenter.sources.get securitycenter.sources.list
`roles/ securitycenter.findingsStateSetter`	Security Center Findings State Setter	Set state access to findings	securitycenter.findings.setState
`roles/ securitycenter.findingsViewer`	Security Center Findings Viewer	Read access to findings	resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list
`roles/ securitycenter.sourcesAdmin`	Security Center Sources Admin	Admin access to sources	resourcemanager.organizations.get securitycenter.sources.*
`roles/ securitycenter.sourcesEditor`	Security Center Sources Editor	Read-write access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update
`roles/ securitycenter.sourcesViewer`	Security Center Sources Viewer	Read access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list

Service Consumer Management roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ serviceconsumermanagement.tenancyUnitsAdmin`	Admin of Tenancy Units ^Beta	Administrate tenancy units	serviceconsumermanagement.tenancyu.*
`roles/ serviceconsumermanagement.tenancyUnitsViewer`	Viewer of Tenancy Units ^Beta	View tenancy units	serviceconsumermanagement.tenancyu.list

Service Management roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudscheduler.serviceAgent`	Cloud Scheduler Service Agent ^Alpha	Grants Cloud Scheduler Service Account access to manage resources.	iam.serviceAccounts.getAccessToken logging.logEntries.create pubsub.topics.publish
`roles/ cloudtasks.serviceAgent`	Cloud Tasks Service Agent ^Alpha	Grants Cloud Tasks Service Account access to manage resources.	iam.serviceAccounts.getAccessToken logging.logEntries.create
`roles/ datafusion.serviceAgent`	Cloud Data Fusion API Service Agent ^Alpha	Gives Cloud Data Fusion service account access to Service Networking, Dataproc, Storage, BigQuery, Spanner and BigTable resources.	bigquery.datasets.* bigquery.jobs.create bigquery.models.* bigquery.routines.* bigquery.tables.* bigtable.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.removePeering compute.networks.update compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update firebase.projects.get monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.list spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instanceConfigs.* spanner.instances.get spanner.instances.list spanner.sessions.* storage.*
`roles/ servicemanagement.admin`	Service Management Administrator	Full control of Google Service Management resources.	monitoring.timeSeries.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceconsumermanagement.* servicemanagement.services.* serviceusage.quotas.get serviceusage.services.get
`roles/ servicemanagement.configEditor`	Service Config Editor	Access to update the service config and create rollouts.	servicemanagement.services.get servicemanagement.services.update
`roles/ servicemanagement.quotaAdmin`	Quota Administrator ^Beta	Provides access to administer service quotas.	monitoring.timeSeries.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list servicemanagement.consumerSettings.* serviceusage.quotas.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list	Project
`roles/ servicemanagement.quotaViewer`	Quota Viewer ^Beta	Provides access to view service quotas.	monitoring.timeSeries.list servicemanagement.consumerSettings.get servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/ servicemanagement.serviceConsumer`	Service Consumer	Can enable the service.	servicemanagement.services.bind
`roles/ servicemanagement.serviceController`	Service Controller	Runtime control of checking and reporting usage of a service.	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report	Project

Service Networking roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ servicenetworking.networksAdmin`	Service Networking Admin ^Beta	Full control of service networking with projects.	servicenetworking.*

Service Usage roles

Role	Title	Description	Permissions
`roles/ serviceusage.apiKeysAdmin`	API Keys Admin ^Beta	Ability to create, delete, update, get and list API keys for a project.	serviceusage.apiKeys.* serviceusage.operations.get
`roles/ serviceusage.apiKeysViewer`	API Keys Viewer ^Beta	Ability to get and list API keys for a project.	serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list
`roles/ serviceusage.serviceUsageAdmin`	Service Usage Admin ^Beta	Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.* serviceusage.quotas.* serviceusage.services.*
`roles/ serviceusage.serviceUsageConsumer`	Service Usage Consumer ^Beta	Ability to inspect service states and operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
`roles/ serviceusage.serviceUsageViewer`	Service Usage Viewer ^Beta	Ability to inspect service states and operations for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Source roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ source.admin`	Source Repository Administrator	Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.	source.*	Project
`roles/ source.reader`	Source Repository Reader	Provides permissions to list, clone, fetch, and browse repositories.	source.repos.get source.repos.list	Project
`roles/ source.writer`	Source Repository Writer	Provides permissions to list, clone, fetch, browse, and update repositories.	source.repos.get source.repos.list source.repos.update	Project

Cloud Spanner roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ spanner.admin`	Cloud Spanner Admin	Permission to grant and revoke permissions to other principals, allocate and delete chargeable resources, issue get/list/modify operations on resources, read from and write to databases, and fetch project metadata.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.*	Project
`roles/ spanner.databaseAdmin`	Cloud Spanner Database Admin	Permission to get/list all Cloud Spanner resources in a project, create/list/drop databases, grant/revoke access to project databases, and read from and write to all Cloud Spanner databases in the project.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databaseOperations.* spanner.databases.* spanner.instances.get spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.*	Project
`roles/ spanner.databaseReader`	Cloud Spanner Database Reader	Permission to read from the Cloud Spanner database, execute SQL queries on the database, and view the schema.	spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.read spanner.databases.select spanner.sessions.*	Database
`roles/ spanner.databaseUser`	Cloud Spanner Database User	Permission to read from and write to the Cloud Spanner database, execute SQL queries on the database, and view and update the schema.	spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.sessions.*	Database
`roles/ spanner.viewer`	Cloud Spanner Viewer	Permission to view all Cloud Spanner instances and databases, but not modify or read from them.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databases.list spanner.instanceConfigs.* spanner.instances.get spanner.instances.list	Project

Stackdriver roles

Role	Title	Description	Permissions
`roles/ stackdriver.accounts.editor`	Stackdriver Accounts Editor	Read/write access to manage Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.projects.*
`roles/ stackdriver.accounts.viewer`	Stackdriver Accounts Viewer	Read-only access to get and list information about Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
`roles/ stackdriver.resourceMaintenanceWindow.editor`	Stackdriver Resource Maintenance Window Editor	Read/write access to manage Stackdriver resource maintenance windows.
`roles/ stackdriver.resourceMaintenanceWindow.viewer`	Stackdriver Resource Maintenance Window Viewer	Read-only access to information about Stackdriver resource maintenance windows.
`roles/ stackdriver.resourceMetadata.writer`	Stackdriver Resource Metadata Writer ^Beta	Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	stackdriver.resourceMetadata.*

Storage roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ storage.admin`	Storage Admin	Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.	firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.*	Bucket
`roles/ storage.objectAdmin`	Storage Object Admin	Grants full control of objects, including listing, creating, viewing, and deleting objects.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.*	Bucket
`roles/ storage.objectCreator`	Storage Object Creator	Allows users to create objects. Does not give permission to view, delete, or overwrite objects.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.create	Bucket
`roles/ storage.objectViewer`	Storage Object Viewer	Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list	Bucket
`roles/ storagetransfer.admin`	Storage Transfer Admin	Create, update and manage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.*
`roles/ storagetransfer.user`	Storage Transfer User	Create and update storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.create storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.jobs.update storagetransfer.operations.* storagetransfer.projects.*
`roles/ storagetransfer.viewer`	Storage Transfer Viewer	Read access to storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.operations.get storagetransfer.operations.list storagetransfer.projects.*

Storage Legacy roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ storage.legacyBucketOwner`	Storage Legacy Bucket Owner	Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read and edit bucket metadata, including Cloud IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.	storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.list	Bucket
`roles/ storage.legacyBucketReader`	Storage Legacy Bucket Reader	Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata, excluding Cloud IAM policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.	storage.buckets.get storage.objects.list	Bucket
`roles/ storage.legacyBucketWriter`	Storage Legacy Bucket Writer	Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read bucket metadata, excluding Cloud IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.	storage.buckets.get storage.objects.create storage.objects.delete storage.objects.list	Bucket
`roles/ storage.legacyObjectOwner`	Storage Legacy Object Owner	Grants permission to view and edit objects and their metadata, including ACLs.	storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update	Bucket
`roles/ storage.legacyObjectReader`	Storage Legacy Object Reader	Grants permission to view objects and their metadata, excluding ACLs.	storage.objects.get	Bucket

Support roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ cloudsupport.admin`	Support Account Administrator	Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.	cloudsupport.*	Organization
`roles/ cloudsupport.viewer`	Support Account Viewer	Read-only access to details of a support account. This does not allow viewing cases.	cloudsupport.accounts.get cloudsupport.accounts.getUserRoles cloudsupport.accounts.list	Organization

Cloud Threat Detection roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ threatdetection.editor`	Threat Detection Settings Editor ^Beta	Read-write access to all Threat Detection settings	threatdetection.*
`roles/ threatdetection.viewer`	Threat Detection Settings Viewer ^Beta	Read access to all Threat Detection settings	threatdetection.detectorSettings.get threatdetection.sinkSettings.get threatdetection.sourceSettings.get

Cloud TPU roles

Role	Title	Description	Permissions	Lowest Resource
`roles/ tpu.admin`	TPU Admin	Full access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.*
`roles/ tpu.viewer`	TPU Viewer	Read-only access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.acceleratortypes.* tpu.locations.* tpu.nodes.get tpu.nodes.list tpu.operations.* tpu.tensorflowversions.*

Serverless VPC Access roles

Role	Title	Description	Permissions
`roles/ vpaccess.user`	Serverless VPC Access User ^Beta	User of Serverless VPC Access connectors	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.connectors.use vpcaccess.locations.* vpcaccess.operations.*
`roles/ vpaccess.viewer`	Serverless VPC Access Viewer ^Beta	Viewer of all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.*
`roles/ vpcaccess.admin`	Serverless VPC Access Admin ^Beta	Full access to all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.*

Custom roles

In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.

Product-specific Cloud IAM documentation

Product-specific Cloud IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.

Documentation	Description
Cloud IAM for App Engine	Explains Cloud IAM roles for App Engine
Cloud IAM for BigQuery	Explains Cloud IAM roles for BigQuery
Cloud IAM for Cloud Bigtable	Explains Cloud IAM roles for Cloud Bigtable
Cloud IAM for Cloud Billing API	Explains Cloud IAM roles and permissions for Cloud Billing API
Cloud IAM for Cloud Dataflow	Explains Cloud IAM roles for Cloud Dataflow
Cloud IAM for Cloud Dataproc	Explains Cloud IAM roles and permissions for Cloud Dataproc
Cloud IAM for Cloud Datastore	Explains Cloud IAM roles and permissions for Cloud Datastore
Cloud IAM for Cloud DNS	Explains Cloud IAM roles and permissions for Cloud DNS
Cloud IAM for Cloud KMS	Explains Cloud IAM roles and permissions for Cloud KMS
Cloud IAM for AI Platform	Explains Cloud IAM roles and permissions for AI Platform
Cloud IAM for Cloud Pub/Sub	Explains Cloud IAM roles for Cloud Pub/Sub
Cloud IAM for Cloud Spanner	Explains Cloud IAM roles and permissions for Cloud Spanner
Cloud IAM for Cloud SQL	Explains Cloud IAM roles for Cloud SQL
Cloud IAM for Cloud Storage	Explains Cloud IAM roles for Cloud Storage
Cloud IAM for Compute Engine	Explains Cloud IAM roles for Compute Engine
Cloud IAM for GKE	Explains Cloud IAM roles and permissions for GKE
Cloud IAM for Deployment Manager	Explains Cloud IAM roles and permissions for Deployment Manager
Cloud IAM for Organizations	Explains Cloud IAM roles for Organization.
Cloud IAM for Folders	Explains Cloud IAM roles for folders.
Cloud IAM for Projects	Explains Cloud IAM roles for projects.
Cloud IAM for Service Management	Explains Cloud IAM roles and permissions for Service Management
Cloud IAM for Stackdriver Debugger	Explains Cloud IAM roles for Debugger
Cloud IAM for Stackdriver Logging	Explains Cloud IAM roles for Logging
Cloud IAM for Stackdriver Monitoring	Explains Cloud IAM roles for Monitoring
Cloud IAM for Stackdriver Trace	Explains Cloud IAM roles and permissions for Trace

What's next

Learn how to grant Cloud IAM roles to users.
Learn about Custom Roles

Jun	JUL	Aug
	01
2018	2019	2020