Confidential Computing roles and permissions

This page lists the IAM roles and permissions for Confidential Computing. To search through all roles and permissions, see the role and permission index .

Confidential Computing roles

Role

Permissions

Confidentialcomputing Admin

( roles/ confidentialcomputing.admin )

Admin role for confidentialcomputing

confidentialcomputing.*

confidentialcomputing. challenges. create
confidentialcomputing. challenges. verify
confidentialcomputing. challenges. verifygke
confidentialcomputing. locations. get
confidentialcomputing. locations. list

resourcemanager.projects.get

resourcemanager.projects.list

Confidentialcomputing Viewer

( roles/ confidentialcomputing.viewer )

Viewer role for confidentialcomputing

confidentialcomputing. locations.*

confidentialcomputing. locations. get
confidentialcomputing. locations. list

resourcemanager.projects.get

resourcemanager.projects.list

Confidential GKE Workload User

( roles/ confidentialcomputing.gkeWorkloadUser )

Grants the ability to generate a GKE attestation token and run a workload in a GKE cluster.

confidentialcomputing. challenges. create

confidentialcomputing. challenges. verifygke

confidentialcomputing. locations.*

confidentialcomputing. locations. get
confidentialcomputing. locations. list

logging.logEntries.create

Confidential Space Workload User

( roles/ confidentialcomputing.workloadUser )

Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.

confidentialcomputing. challenges. create

confidentialcomputing. challenges. verify

confidentialcomputing. locations.*

confidentialcomputing. locations. get
confidentialcomputing. locations. list

logging.logEntries.create

Confidential Computing permissions

Permission	Included in roles
`confidentialcomputing. challenges. create`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Confidentialcomputing Admin ( `roles/ confidentialcomputing.admin` ) Confidential GKE Workload User ( `roles/ confidentialcomputing.gkeWorkloadUser` ) Confidential Space Workload User ( `roles/ confidentialcomputing.workloadUser` )
`confidentialcomputing. challenges. verify`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Confidentialcomputing Admin ( `roles/ confidentialcomputing.admin` ) Confidential Space Workload User ( `roles/ confidentialcomputing.workloadUser` )
`confidentialcomputing. challenges. verifygke`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Confidentialcomputing Admin ( `roles/ confidentialcomputing.admin` ) Confidential GKE Workload User ( `roles/ confidentialcomputing.gkeWorkloadUser` )
`confidentialcomputing. locations. get`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Confidentialcomputing Admin ( `roles/ confidentialcomputing.admin` ) Confidentialcomputing Viewer ( `roles/ confidentialcomputing.viewer` ) Confidential GKE Workload User ( `roles/ confidentialcomputing.gkeWorkloadUser` ) Confidential Space Workload User ( `roles/ confidentialcomputing.workloadUser` ) Support User ( `roles/ iam.supportUser` )
`confidentialcomputing. locations. list`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Confidentialcomputing Admin ( `roles/ confidentialcomputing.admin` ) Confidentialcomputing Viewer ( `roles/ confidentialcomputing.viewer` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Reviewer ( `roles/ iam.securityReviewer` ) Confidential GKE Workload User ( `roles/ confidentialcomputing.gkeWorkloadUser` ) Confidential Space Workload User ( `roles/ confidentialcomputing.workloadUser` ) Security Auditor ( `roles/ iam.securityAuditor` ) Support User ( `roles/ iam.supportUser` )

Confidential Computing roles and permissions