Roles and permissions
A permission is the smallest unit of authority: a single action on a single
resource, named <service>.<resource>.<action> (for example compute.vm.create).
A role is a named bundle of permissions. You grant a role to an identity with
a binding, within a scope.
Permissions are system-defined and read-only. Roles are either built-in
(system-defined and immutable) or custom (composed by you from any permission).
You can enumerate permissions with ListPermissions and a role’s exact set with
ListRolePermissions.
Role families
Section titled “Role families”Built-in roles follow a consistent convention: a Viewer can read (get,
list), an Editor adds create, update, and resource actions, and an Admin
has full access including delete. They come at three levels:
- Platform-wide roles (
Viewer,Editor,Admin) grant the matching access across every service. They are listed below. - Per-service roles (for example
Compute Editor) and per-resource roles (for exampleVM Admin) are scoped to one service, and are listed on that service’s own page.
Platform-wide roles
Section titled “Platform-wide roles”These primitive roles span every service. Granting one at a scope confers the corresponding access to all services within that scope.
| Role | Description |
|---|---|
Viewer | Read-only access to all resources across every service |
Editor | Read and write access to all resources across every service |
Admin | Full administrative access across every service, including IAM |
Roles and permissions by service
Section titled “Roles and permissions by service”Each service documents its own built-in roles and the permissions it defines:
The IAM service’s own built-in roles. Each row lists a role, what it grants, and the exact permissions it includes.
| Role | Included permissions |
|---|---|
| IAM Viewer Read-only access to all IAM resources | iam.binding.getiam.binding.listiam.operation.getiam.operation.listiam.permission.getiam.permission.listiam.policy.getiam.policy.listiam.role.getiam.role.listiam.rolepermission.listiam.token.listiam.user.getiam.user.list |
| IAM Editor Read and write access to all IAM resources | iam.binding.createiam.binding.getiam.binding.listiam.operation.getiam.operation.listiam.permission.getiam.permission.listiam.policy.createiam.policy.getiam.policy.listiam.policy.updateiam.role.createiam.role.getiam.role.listiam.role.updateiam.rolepermission.addiam.rolepermission.listiam.token.listiam.token.revokeiam.user.changepasswordiam.user.createiam.user.getiam.user.listiam.user.update |
| IAM Admin Full access to all IAM resources | iam.binding.createiam.binding.deleteiam.binding.getiam.binding.listiam.operation.getiam.operation.listiam.permission.getiam.permission.listiam.policy.createiam.policy.deleteiam.policy.getiam.policy.listiam.policy.updateiam.role.createiam.role.deleteiam.role.getiam.role.listiam.role.updateiam.rolepermission.addiam.rolepermission.listiam.rolepermission.removeiam.token.listiam.token.revokeiam.user.changepasswordiam.user.createiam.user.deleteiam.user.getiam.user.listiam.user.update |
| User Viewer View users | iam.operation.getiam.operation.listiam.user.getiam.user.list |
| User Editor View and manage users | iam.operation.getiam.operation.listiam.user.changepasswordiam.user.createiam.user.getiam.user.listiam.user.update |
| User Admin Full access to users | iam.operation.getiam.operation.listiam.user.changepasswordiam.user.createiam.user.deleteiam.user.getiam.user.listiam.user.update |
| Role Viewer View roles and role permissions | iam.operation.getiam.operation.listiam.permission.getiam.permission.listiam.role.getiam.role.listiam.rolepermission.list |
| Role Editor View and manage roles and role permissions | iam.operation.getiam.operation.listiam.permission.getiam.permission.listiam.role.createiam.role.getiam.role.listiam.role.updateiam.rolepermission.addiam.rolepermission.list |
| Role Admin Full access to roles and role permissions | iam.operation.getiam.operation.listiam.permission.getiam.permission.listiam.role.createiam.role.deleteiam.role.getiam.role.listiam.role.updateiam.rolepermission.addiam.rolepermission.listiam.rolepermission.remove |
| Policy Viewer View policies | iam.operation.getiam.operation.listiam.policy.getiam.policy.list |
| Policy Editor View and manage policies | iam.operation.getiam.operation.listiam.policy.createiam.policy.getiam.policy.listiam.policy.update |
| Policy Admin Full access to policies | iam.operation.getiam.operation.listiam.policy.createiam.policy.deleteiam.policy.getiam.policy.listiam.policy.update |
| Binding Viewer View IAM bindings | iam.binding.getiam.binding.listiam.operation.getiam.operation.list |
| Binding Editor View and manage IAM bindings | iam.binding.createiam.binding.getiam.binding.listiam.operation.getiam.operation.list |
| Binding Admin Full access to IAM bindings | iam.binding.createiam.binding.deleteiam.binding.getiam.binding.listiam.operation.getiam.operation.list |
| IAM Token Viewer View authentication tokens | iam.operation.getiam.operation.listiam.token.list |
| IAM Token Editor View and revoke authentication tokens | iam.operation.getiam.operation.listiam.token.listiam.token.revoke |
| IAM Token Admin Full access to authentication tokens | iam.operation.getiam.operation.listiam.token.listiam.token.revoke |
Related
Section titled “Related”- The authorization model: how a permission, role, scope, and policy combine.
- Overview: the IAM service at a glance.