Identity-Aware Proxy roles and permissions

This page lists the IAM roles and permissions for Identity-Aware Proxy. To search through all roles and permissions, see the role and permission index .

Identity-Aware Proxy roles

Role

Permissions

IAP Policy Admin

( roles/ iap.admin )

Provides full access to Identity-Aware Proxy resources.

iap.tunnel.*

iap.tunnel.getIamPolicy
iap.tunnel.setIamPolicy

iap. tunnelDestGroups. getIamPolicy

iap. tunnelDestGroups. setIamPolicy

iap. tunnelInstances. getIamPolicy

iap. tunnelInstances. setIamPolicy

iap.tunnelLocations.*

iap. tunnelLocations. getIamPolicy
iap. tunnelLocations. setIamPolicy

iap.tunnelZones.*

iap.tunnelZones.getIamPolicy
iap.tunnelZones.setIamPolicy

iap.web.getIamPolicy

iap.web.setIamPolicy

iap. webServiceVersions. getIamPolicy

iap. webServiceVersions. setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

IAP-secured Web App User

( roles/ iap.httpsResourceAccessor )

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

iap. webServiceVersions. accessViaIAP

IAP-secured Resource Remediator User ^Beta

( roles/ iap.remediatorUser )

Remediate IAP resource

iap.tunnelDestGroups.remediate

iap.tunnelinstances.remediate

iap. webServiceVersions. remediate

IAP Settings Admin

( roles/ iap.settingsAdmin )

Administrator of IAP Settings.

iap.projects.*

iap.projects.getSettings
iap.projects.updateSettings

iap.web.getSettings

iap.web.updateSettings

iap. webServiceVersions. getSettings

iap. webServiceVersions. updateSettings

iap.webServices.getSettings

iap.webServices.updateSettings

iap.webTypes.getSettings

iap.webTypes.updateSettings

IAP-secured Tunnel Destination Group Editor

( roles/ iap.tunnelDestGroupEditor )

Edit Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.create

iap.tunnelDestGroups.delete

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

iap.tunnelDestGroups.update

IAP-secured Tunnel Destination Group Viewer

( roles/ iap.tunnelDestGroupViewer )

View Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

IAP-secured Tunnel User

( roles/ iap.tunnelResourceAccessor )

Access Tunnel resources which use Identity-Aware Proxy

iap. tunnelDestGroups. accessViaIAP

iap. tunnelInstances. accessViaIAP

Identity-Aware Proxy permissions

Permission	Included in roles
`iap.projects.getSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Support User ( `roles/ iam.supportUser` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap.projects.updateSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap.tunnel.getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.tunnel.setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap. tunnelDestGroups. accessViaIAP`	Owner ( `roles/ owner` ) IAP-secured Tunnel User ( `roles/ iap.tunnelResourceAccessor` )
`iap.tunnelDestGroups.create`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP-secured Tunnel Destination Group Editor ( `roles/ iap.tunnelDestGroupEditor` )
`iap.tunnelDestGroups.delete`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP-secured Tunnel Destination Group Editor ( `roles/ iap.tunnelDestGroupEditor` )
`iap.tunnelDestGroups.get`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Support User ( `roles/ iam.supportUser` ) IAP-secured Tunnel Destination Group Editor ( `roles/ iap.tunnelDestGroupEditor` ) IAP-secured Tunnel Destination Group Viewer ( `roles/ iap.tunnelDestGroupViewer` )
`iap. tunnelDestGroups. getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.tunnelDestGroups.list`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) Support User ( `roles/ iam.supportUser` ) IAP-secured Tunnel Destination Group Editor ( `roles/ iap.tunnelDestGroupEditor` ) IAP-secured Tunnel Destination Group Viewer ( `roles/ iap.tunnelDestGroupViewer` )
`iap.tunnelDestGroups.remediate`	Owner ( `roles/ owner` ) IAP-secured Resource Remediator User ( `roles/ iap.remediatorUser` )
`iap. tunnelDestGroups. setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.tunnelDestGroups.update`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP-secured Tunnel Destination Group Editor ( `roles/ iap.tunnelDestGroupEditor` )
`iap. tunnelInstances. accessViaIAP`	Owner ( `roles/ owner` ) IAP-secured Tunnel User ( `roles/ iap.tunnelResourceAccessor` )
`iap. tunnelInstances. getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap. tunnelInstances. setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap. tunnelLocations. getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap. tunnelLocations. setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.tunnelZones.getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.tunnelZones.setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.tunnelinstances.remediate`	Owner ( `roles/ owner` ) IAP-secured Resource Remediator User ( `roles/ iap.remediatorUser` )
`iap.web.getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.web.getSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Support User ( `roles/ iam.supportUser` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap.web.setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.web.updateSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap. webServiceVersions. accessViaIAP`	IAP-secured Web App User ( `roles/ iap.httpsResourceAccessor` )
`iap. webServiceVersions. getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap. webServiceVersions. getSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Support User ( `roles/ iam.supportUser` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap. webServiceVersions. remediate`	Owner ( `roles/ owner` ) IAP-secured Resource Remediator User ( `roles/ iap.remediatorUser` )
`iap. webServiceVersions. setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap. webServiceVersions. updateSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap.webServices.getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.webServices.getSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Support User ( `roles/ iam.supportUser` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap.webServices.setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.webServices.updateSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap.webTypes.getIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) Security Auditor ( `roles/ iam.securityAuditor` ) Security Reviewer ( `roles/ iam.securityReviewer` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.webTypes.getSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) Viewer ( `roles/ viewer` ) Support User ( `roles/ iam.supportUser` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )
`iap.webTypes.setIamPolicy`	Owner ( `roles/ owner` ) Security Admin ( `roles/ iam.securityAdmin` ) IAP Policy Admin ( `roles/ iap.admin` )
`iap.webTypes.updateSettings`	Owner ( `roles/ owner` ) Editor ( `roles/ editor` ) IAP Settings Admin ( `roles/ iap.settingsAdmin` )

Identity-Aware Proxy roles and permissions Stay organized with collections Save and categorize content based on your preferences.