To limit access for users within a project or organization, you can use Identity and Access Management (IAM) roles for Dataflow. You can control access to Dataflow-related resources, as opposed to granting users the Viewer, Editor, or Owner role to the entire Google Cloud project.
This page focuses on how to use Dataflow's IAM roles. For a detailed description of IAM and its features, see the IAM documentation .
Every Dataflow method requires the caller to have the necessary permissions. For a list of the permissions and roles Dataflow supports, see the following section.
Permissions and roles
This section summarizes the permissions and roles Dataflow IAM supports.
Required permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permissions |
|---|---|
dataflow.jobs.create
|
dataflow.jobs.create
|
dataflow.jobs.cancel
|
dataflow.jobs.cancel
|
dataflow.jobs.updateContents
|
dataflow.jobs.updateContents
|
dataflow.jobs.list
|
dataflow.jobs.list
|
dataflow.jobs.get
|
dataflow.jobs.get
|
dataflow.messages.list
|
dataflow.messages.list
|
dataflow.metrics.get
|
dataflow.metrics.get
|
dataflow.jobs.snapshot
|
dataflow.jobs.snapshot
|
Roles
The following table lists the Dataflow IAM roles with a
corresponding list of Dataflow-related permissions each role includes. Every
permission is applicable to a particular resource type. For a
list of permissions, see the Rolespage in the Google Cloud console
.
Dataflow Admin
( roles/
)
Minimal role for creating and managing dataflow jobs.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
-
cloudbuild.locations.get -
cloudbuild.locations.list
cloudbuild.operations.*
-
cloudbuild.operations.get -
cloudbuild.operations.list
cloudkms.keyHandles.*
-
cloudkms.keyHandles.create -
cloudkms.keyHandles.get -
cloudkms.keyHandles.list
cloudkms.operations.get
cloudkms.
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
-
dataflow.jobs.cancel -
dataflow.jobs.create -
dataflow.jobs.get -
dataflow.jobs.list -
dataflow.jobs.snapshot -
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
-
dataflow.snapshots.delete -
dataflow.snapshots.get -
dataflow.snapshots.list
recommender.
-
recommender.dataflowDiagnosticsInsights. get -
recommender.dataflowDiagnosticsInsights. list -
recommender.dataflowDiagnosticsInsights. update
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Dataflow Developer
( roles/
)
Provides the permissions necessary to execute and manipulate Dataflow jobs.
Lowest-level resources where you can grant this role:
- Project
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
-
cloudbuild.locations.get -
cloudbuild.locations.list
cloudbuild.operations.*
-
cloudbuild.operations.get -
cloudbuild.operations.list
cloudkms.keyHandles.*
-
cloudkms.keyHandles.create -
cloudkms.keyHandles.get -
cloudkms.keyHandles.list
cloudkms.operations.get
cloudkms.
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
-
dataflow.jobs.cancel -
dataflow.jobs.create -
dataflow.jobs.get -
dataflow.jobs.list -
dataflow.jobs.snapshot -
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
-
dataflow.snapshots.delete -
dataflow.snapshots.get -
dataflow.snapshots.list
recommender.
-
recommender.dataflowDiagnosticsInsights. get -
recommender.dataflowDiagnosticsInsights. list -
recommender.dataflowDiagnosticsInsights. update
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Dataflow Service Agent
( roles/
)
Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
bigquery.bireservations.*
-
bigquery.bireservations.get -
bigquery.bireservations.update
bigquery.capacityCommitments.*
-
bigquery.capacityCommitments. create -
bigquery.capacityCommitments. delete -
bigquery.capacityCommitments. get -
bigquery.capacityCommitments. list -
bigquery.capacityCommitments. update
bigquery.config.*
-
bigquery.config.get -
bigquery.config.update
bigquery.connections.*
-
bigquery.connections.create -
bigquery.connections.delegate -
bigquery.connections.delete -
bigquery.connections.get -
bigquery.connections. getIamPolicy -
bigquery.connections.list -
bigquery.connections. setIamPolicy -
bigquery.connections.update -
bigquery.connections.updateTag -
bigquery.connections.use
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
-
bigquery.datasets.create -
bigquery.datasets. createTagBinding -
bigquery.datasets.delete -
bigquery.datasets. deleteTagBinding -
bigquery.datasets.get -
bigquery.datasets.getIamPolicy -
bigquery.datasets.link -
bigquery.datasets. listEffectiveTags -
bigquery.datasets. listSharedDatasetUsage -
bigquery.datasets. listTagBindings -
bigquery.datasets.setIamPolicy -
bigquery.datasets.update -
bigquery.datasets.updateTag
bigquery.jobs.*
-
bigquery.jobs.create -
bigquery.jobs.delete -
bigquery.jobs.get -
bigquery.jobs.list -
bigquery.jobs.listAll -
bigquery.jobs. listExecutionMetadata -
bigquery.jobs.update
bigquery.models.*
-
bigquery.models.create -
bigquery.models.delete -
bigquery.models.export -
bigquery.models.getData -
bigquery.models.getMetadata -
bigquery.models.list -
bigquery.models.updateData -
bigquery.models.updateMetadata -
bigquery.models.updateTag
bigquery.objectRefs.*
-
bigquery.objectRefs.read -
bigquery.objectRefs.write
bigquery.readsessions.*
-
bigquery.readsessions.create -
bigquery.readsessions.getData -
bigquery.readsessions.update
bigquery.
-
bigquery.reservationAssignments. create -
bigquery.reservationAssignments. delete -
bigquery.reservationAssignments. list -
bigquery.reservationAssignments. search
bigquery.reservationGroups.*
-
bigquery.reservationGroups. create -
bigquery.reservationGroups. delete -
bigquery.reservationGroups.get -
bigquery.reservationGroups. list
bigquery.reservations.*
-
bigquery.reservations.create -
bigquery.reservations.delete -
bigquery.reservations.get -
bigquery.reservations.list -
bigquery.reservations. listFailoverDatasets -
bigquery.reservations.update -
bigquery.reservations.use
bigquery.routines.*
-
bigquery.routines.create -
bigquery.routines.delete -
bigquery.routines.get -
bigquery.routines.list -
bigquery.routines.update -
bigquery.routines.updateTag
bigquery.
bigquery.
bigquery.rowAccessPolicies.get
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.*
-
bigquery.savedqueries.create -
bigquery.savedqueries.delete -
bigquery.savedqueries.get -
bigquery.savedqueries.list -
bigquery.savedqueries.update
bigquery.tables.*
-
bigquery.tables.create -
bigquery.tables.createIndex -
bigquery.tables.createSnapshot -
bigquery.tables. createTagBinding -
bigquery.tables.delete -
bigquery.tables.deleteIndex -
bigquery.tables.deleteSnapshot -
bigquery.tables. deleteTagBinding -
bigquery.tables.export -
bigquery.tables.get -
bigquery.tables.getData -
bigquery.tables.getIamPolicy -
bigquery.tables.list -
bigquery.tables. listEffectiveTags -
bigquery.tables. listTagBindings -
bigquery.tables.replicateData -
bigquery.tables. restoreSnapshot -
bigquery.tables.setCategory -
bigquery.tables. setColumnDataPolicy -
bigquery.tables.setIamPolicy -
bigquery.tables.update -
bigquery.tables.updateData -
bigquery.tables.updateIndex -
bigquery.tables.updateTag
bigquery.transfers.*
-
bigquery.transfers.get -
bigquery.transfers.update
bigquerymigration.
clouddebugger.breakpoints.list
clouddebugger.
clouddebugger.
clouddebugger.debuggees.create
cloudnotifications.
compute.acceleratorTypes.*
-
compute.acceleratorTypes.get -
compute.acceleratorTypes.list
compute.addresses.*
-
compute.addresses.create -
compute.addresses. createInternal -
compute.addresses. createTagBinding -
compute.addresses.delete -
compute.addresses. deleteInternal -
compute.addresses. deleteTagBinding -
compute.addresses.get -
compute.addresses.list -
compute.addresses. listEffectiveTags -
compute.addresses. listTagBindings -
compute.addresses.setLabels -
compute.addresses.use -
compute.addresses.useInternal
compute.autoscalers.*
-
compute.autoscalers.create -
compute.autoscalers.delete -
compute.autoscalers.get -
compute.autoscalers.list -
compute.autoscalers.update
compute.backendBuckets.*
-
compute.backendBuckets. addSignedUrlKey -
compute.backendBuckets.create -
compute.backendBuckets. createTagBinding -
compute.backendBuckets.delete -
compute.backendBuckets. deleteSignedUrlKey -
compute.backendBuckets. deleteTagBinding -
compute.backendBuckets.get -
compute.backendBuckets. getIamPolicy -
compute.backendBuckets.list -
compute.backendBuckets. listEffectiveTags -
compute.backendBuckets. listTagBindings -
compute.backendBuckets. setIamPolicy -
compute.backendBuckets. setSecurityPolicy -
compute.backendBuckets.update -
compute.backendBuckets.use
compute.backendServices.*
-
compute.backendServices. addSignedUrlKey -
compute.backendServices.create -
compute.backendServices. createTagBinding -
compute.backendServices.delete -
compute.backendServices. deleteSignedUrlKey -
compute.backendServices. deleteTagBinding -
compute.backendServices.get -
compute.backendServices. getIamPolicy -
compute.backendServices.list -
compute.backendServices. listEffectiveTags -
compute.backendServices. listTagBindings -
compute.backendServices. setIamPolicy -
compute.backendServices. setSecurityPolicy -
compute.backendServices.update -
compute.backendServices.use
compute.crossSiteNetworks.*
-
compute.crossSiteNetworks. create -
compute.crossSiteNetworks. delete -
compute.crossSiteNetworks.get -
compute.crossSiteNetworks.list -
compute.crossSiteNetworks. update
compute.diskSettings.*
-
compute.diskSettings.get -
compute.diskSettings.update
compute.diskTypes.*
-
compute.diskTypes.get -
compute.diskTypes.list
compute.disks.*
-
compute.disks. addResourcePolicies -
compute.disks.create -
compute.disks.createSnapshot -
compute.disks.createTagBinding -
compute.disks.delete -
compute.disks.deleteTagBinding -
compute.disks.get -
compute.disks.getIamPolicy -
compute.disks.list -
compute.disks. listEffectiveTags -
compute.disks.listTagBindings -
compute.disks. removeResourcePolicies -
compute.disks.resize -
compute.disks.setIamPolicy -
compute.disks.setLabels -
compute.disks. startAsyncReplication -
compute.disks. stopAsyncReplication -
compute.disks. stopGroupAsyncReplication -
compute.disks.update -
compute.disks.use -
compute.disks.useReadOnly
compute.externalVpnGateways.*
-
compute.externalVpnGateways. create -
compute.externalVpnGateways. createTagBinding -
compute.externalVpnGateways. delete -
compute.externalVpnGateways. deleteTagBinding -
compute.externalVpnGateways. get -
compute.externalVpnGateways. list -
compute.externalVpnGateways. listEffectiveTags -
compute.externalVpnGateways. listTagBindings -
compute.externalVpnGateways. setLabels -
compute.externalVpnGateways. use
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.*
-
compute.forwardingRules.create -
compute.forwardingRules. createTagBinding -
compute.forwardingRules.delete -
compute.forwardingRules. deleteTagBinding -
compute.forwardingRules.get -
compute.forwardingRules.list -
compute.forwardingRules. listEffectiveTags -
compute.forwardingRules. listTagBindings -
compute.forwardingRules. pscCreate -
compute.forwardingRules. pscDelete -
compute.forwardingRules. pscSetLabels -
compute.forwardingRules. pscUpdate -
compute.forwardingRules. setLabels -
compute.forwardingRules. setTarget -
compute.forwardingRules.update -
compute.forwardingRules.use
compute.globalAddresses.*
-
compute.globalAddresses.create -
compute.globalAddresses. createInternal -
compute.globalAddresses. createTagBinding -
compute.globalAddresses.delete -
compute.globalAddresses. deleteInternal -
compute.globalAddresses. deleteTagBinding -
compute.globalAddresses.get -
compute.globalAddresses.list -
compute.globalAddresses. listEffectiveTags -
compute.globalAddresses. listTagBindings -
compute.globalAddresses. setLabels -
compute.globalAddresses.use
compute.
-
compute.globalForwardingRules. create -
compute.globalForwardingRules. createTagBinding -
compute.globalForwardingRules. delete -
compute.globalForwardingRules. deleteTagBinding -
compute.globalForwardingRules. get -
compute.globalForwardingRules. list -
compute.globalForwardingRules. listEffectiveTags -
compute.globalForwardingRules. listTagBindings -
compute.globalForwardingRules. pscCreate -
compute.globalForwardingRules. pscDelete -
compute.globalForwardingRules. pscSetLabels -
compute.globalForwardingRules. pscUpdate -
compute.globalForwardingRules. setLabels -
compute.globalForwardingRules. setTarget -
compute.globalForwardingRules. update
compute.
-
compute.globalNetworkEndpointGroups. attachNetworkEndpoints -
compute.globalNetworkEndpointGroups. create -
compute.globalNetworkEndpointGroups. createTagBinding -
compute.globalNetworkEndpointGroups. delete -
compute.globalNetworkEndpointGroups. deleteTagBinding -
compute.globalNetworkEndpointGroups. detachNetworkEndpoints -
compute.globalNetworkEndpointGroups. get -
compute.globalNetworkEndpointGroups. list -
compute.globalNetworkEndpointGroups. listEffectiveTags -
compute.globalNetworkEndpointGroups. listTagBindings -
compute.globalNetworkEndpointGroups. use
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.healthChecks.*
-
compute.healthChecks.create -
compute.healthChecks. createTagBinding -
compute.healthChecks.delete -
compute.healthChecks. deleteTagBinding -
compute.healthChecks.get -
compute.healthChecks.list -
compute.healthChecks. listEffectiveTags -
compute.healthChecks. listTagBindings -
compute.healthChecks.update -
compute.healthChecks.use -
compute.healthChecks. useReadOnly
compute.httpHealthChecks.*
-
compute.httpHealthChecks. create -
compute.httpHealthChecks. createTagBinding -
compute.httpHealthChecks. delete -
compute.httpHealthChecks. deleteTagBinding -
compute.httpHealthChecks.get -
compute.httpHealthChecks.list -
compute.httpHealthChecks. listEffectiveTags -
compute.httpHealthChecks. listTagBindings -
compute.httpHealthChecks. update -
compute.httpHealthChecks.use -
compute.httpHealthChecks. useReadOnly
compute.httpsHealthChecks.*
-
compute.httpsHealthChecks. create -
compute.httpsHealthChecks. createTagBinding -
compute.httpsHealthChecks. delete -
compute.httpsHealthChecks. deleteTagBinding -
compute.httpsHealthChecks.get -
compute.httpsHealthChecks.list -
compute.httpsHealthChecks. listEffectiveTags -
compute.httpsHealthChecks. listTagBindings -
compute.httpsHealthChecks. update -
compute.httpsHealthChecks.use -
compute.httpsHealthChecks. useReadOnly
compute.images.*
-
compute.images.create -
compute.images. createTagBinding -
compute.images.delete -
compute.images. deleteTagBinding -
compute.images.deprecate -
compute.images.get -
compute.images.getFromFamily -
compute.images.getIamPolicy -
compute.images.list -
compute.images. listEffectiveTags -
compute.images.listTagBindings -
compute.images.setIamPolicy -
compute.images.setLabels -
compute.images.update -
compute.images.useReadOnly
compute.
-
compute.instanceGroupManagers. create -
compute.instanceGroupManagers. createTagBinding -
compute.instanceGroupManagers. delete -
compute.instanceGroupManagers. deleteTagBinding -
compute.instanceGroupManagers. get -
compute.instanceGroupManagers. list -
compute.instanceGroupManagers. listEffectiveTags -
compute.instanceGroupManagers. listTagBindings -
compute.instanceGroupManagers. update -
compute.instanceGroupManagers. use
compute.instanceGroups.*
-
compute.instanceGroups.create -
compute.instanceGroups. createTagBinding -
compute.instanceGroups.delete -
compute.instanceGroups. deleteTagBinding -
compute.instanceGroups.get -
compute.instanceGroups.list -
compute.instanceGroups. listEffectiveTags -
compute.instanceGroups. listTagBindings -
compute.instanceGroups.update -
compute.instanceGroups.use
compute.instanceSettings.get
compute.instanceTemplates.*
-
compute.instanceTemplates. create -
compute.instanceTemplates. delete -
compute.instanceTemplates.get -
compute.instanceTemplates. getIamPolicy -
compute.instanceTemplates.list -
compute.instanceTemplates. setIamPolicy -
compute.instanceTemplates. useReadOnly
compute.instances.*
-
compute.instances. addAccessConfig -
compute.instances. addNetworkInterface -
compute.instances. addResourcePolicies -
compute.instances.attachDisk -
compute.instances.create -
compute.instances. createTagBinding -
compute.instances.delete -
compute.instances. deleteAccessConfig -
compute.instances. deleteNetworkInterface -
compute.instances. deleteTagBinding -
compute.instances.detachDisk -
compute.instances.get -
compute.instances. getEffectiveFirewalls -
compute.instances. getGuestAttributes -
compute.instances.getIamPolicy -
compute.instances. getScreenshot -
compute.instances. getSerialPortOutput -
compute.instances. getShieldedInstanceIdentity -
compute.instances. getShieldedVmIdentity -
compute.instances.list -
compute.instances. listEffectiveTags -
compute.instances. listReferrers -
compute.instances. listTagBindings -
compute.instances.osAdminLogin -
compute.instances.osLogin -
compute.instances. pscInterfaceCreate -
compute.instances. removeResourcePolicies -
compute.instances.reset -
compute.instances.resume -
compute.instances. sendDiagnosticInterrupt -
compute.instances. setDeletionProtection -
compute.instances. setDiskAutoDelete -
compute.instances.setIamPolicy -
compute.instances.setLabels -
compute.instances. setMachineResources -
compute.instances. setMachineType -
compute.instances.setMetadata -
compute.instances. setMinCpuPlatform -
compute.instances.setName -
compute.instances. setScheduling -
compute.instances. setSecurityPolicy -
compute.instances. setServiceAccount -
compute.instances. setShieldedInstanceIntegrityPolicy -
compute.instances. setShieldedVmIntegrityPolicy -
compute.instances.setTags -
compute.instances. simulateMaintenanceEvent -
compute.instances.start -
compute.instances. startWithEncryptionKey -
compute.instances.stop -
compute.instances.suspend -
compute.instances.update -
compute.instances. updateAccessConfig -
compute.instances. updateDisplayDevice -
compute.instances. updateNetworkInterface -
compute.instances. updateSecurity -
compute.instances. updateShieldedInstanceConfig -
compute.instances. updateShieldedVmConfig -
compute.instances.use -
compute.instances.useReadOnly
compute.instantSnapshots.*
-
compute.instantSnapshots. create -
compute.instantSnapshots. delete -
compute.instantSnapshots. export -
compute.instantSnapshots.get -
compute.instantSnapshots. getIamPolicy -
compute.instantSnapshots.list -
compute.instantSnapshots. setIamPolicy -
compute.instantSnapshots. setLabels -
compute.instantSnapshots. useReadOnly
compute.
-
compute.interconnectAttachmentGroups. create -
compute.interconnectAttachmentGroups. delete -
compute.interconnectAttachmentGroups. get -
compute.interconnectAttachmentGroups. list -
compute.interconnectAttachmentGroups. patch
compute.
-
compute.interconnectAttachments. create -
compute.interconnectAttachments. createTagBinding -
compute.interconnectAttachments. delete -
compute.interconnectAttachments. deleteTagBinding -
compute.interconnectAttachments. get -
compute.interconnectAttachments. list -
compute.interconnectAttachments. listEffectiveTags -
compute.interconnectAttachments. listTagBindings -
compute.interconnectAttachments. setLabels -
compute.interconnectAttachments. update -
compute.interconnectAttachments. use
compute.interconnectGroups.*
-
compute.interconnectGroups. create -
compute.interconnectGroups. delete -
compute.interconnectGroups.get -
compute.interconnectGroups. list -
compute.interconnectGroups. patch
compute.
-
compute.interconnectLocations. get -
compute.interconnectLocations. list
compute.
-
compute.interconnectRemoteLocations. get -
compute.interconnectRemoteLocations. list
compute.interconnects.*
-
compute.interconnects.create -
compute.interconnects. createTagBinding -
compute.interconnects.delete -
compute.interconnects. deleteTagBinding -
compute.interconnects.get -
compute.interconnects. getMacsecConfig -
compute.interconnects.list -
compute.interconnects. listEffectiveTags -
compute.interconnects. listTagBindings -
compute.interconnects. setLabels -
compute.interconnects.update -
compute.interconnects.use
compute.licenseCodes.*
-
compute.licenseCodes.get -
compute.licenseCodes. getIamPolicy -
compute.licenseCodes.list -
compute.licenseCodes. setIamPolicy -
compute.licenseCodes.update
compute.licenses.*
-
compute.licenses.create -
compute.licenses.delete -
compute.licenses.get -
compute.licenses.getIamPolicy -
compute.licenses.list -
compute.licenses.setIamPolicy -
compute.licenses.update
compute.machineImages.*
-
compute.machineImages.create -
compute.machineImages.delete -
compute.machineImages.get -
compute.machineImages. getIamPolicy -
compute.machineImages.list -
compute.machineImages. setIamPolicy -
compute.machineImages. setLabels -
compute.machineImages. useReadOnly
compute.machineTypes.*
-
compute.machineTypes.get -
compute.machineTypes.list
compute.multiMig.*
-
compute.multiMig.create -
compute.multiMig.delete -
compute.multiMig.get -
compute.multiMig.list
compute.networkAttachments.*
-
compute.networkAttachments. create -
compute.networkAttachments. createTagBinding -
compute.networkAttachments. delete -
compute.networkAttachments. deleteTagBinding -
compute.networkAttachments.get -
compute.networkAttachments. getIamPolicy -
compute.networkAttachments. list -
compute.networkAttachments. listEffectiveTags -
compute.networkAttachments. listTagBindings -
compute.networkAttachments. setIamPolicy -
compute.networkAttachments. update -
compute.networkAttachments.use
compute.
-
compute.networkEndpointGroups. attachNetworkEndpoints -
compute.networkEndpointGroups. create -
compute.networkEndpointGroups. createTagBinding -
compute.networkEndpointGroups. delete -
compute.networkEndpointGroups. deleteTagBinding -
compute.networkEndpointGroups. detachNetworkEndpoints -
compute.networkEndpointGroups. get -
compute.networkEndpointGroups. list -
compute.networkEndpointGroups. listEffectiveTags -
compute.networkEndpointGroups. listTagBindings -
compute.networkEndpointGroups. use
compute.networkProfiles.*
-
compute.networkProfiles.get -
compute.networkProfiles.list
compute.networks.*
-
compute.networks.access -
compute.networks.addPeering -
compute.networks.create -
compute.networks. createTagBinding -
compute.networks.delete -
compute.networks. deleteTagBinding -
compute.networks.get -
compute.networks. getEffectiveFirewalls -
compute.networks. getRegionEffectiveFirewalls -
compute.networks.list -
compute.networks. listEffectiveTags -
compute.networks. listPeeringRoutes -
compute.networks. listTagBindings -
compute.networks.mirror -
compute.networks.removePeering -
compute.networks. setFirewallPolicy -
compute.networks. switchToCustomMode -
compute.networks.update -
compute.networks.updatePeering -
compute.networks.updatePolicy -
compute.networks.use -
compute.networks.useExternalIp
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
-
compute.regionBackendServices. create -
compute.regionBackendServices. createTagBinding -
compute.regionBackendServices. delete -
compute.regionBackendServices. deleteTagBinding -
compute.regionBackendServices. get -
compute.regionBackendServices. getIamPolicy -
compute.regionBackendServices. list -
compute.regionBackendServices. listEffectiveTags -
compute.regionBackendServices. listTagBindings -
compute.regionBackendServices. setIamPolicy -
compute.regionBackendServices. setSecurityPolicy -
compute.regionBackendServices. update -
compute.regionBackendServices. use
compute.
compute.
compute.
compute.
compute.
compute.
-
compute.regionHealthCheckServices. create -
compute.regionHealthCheckServices. delete -
compute.regionHealthCheckServices. get -
compute.regionHealthCheckServices. list -
compute.regionHealthCheckServices. update -
compute.regionHealthCheckServices. use
compute.regionHealthChecks.*
-
compute.regionHealthChecks. create -
compute.regionHealthChecks. createTagBinding -
compute.regionHealthChecks. delete -
compute.regionHealthChecks. deleteTagBinding -
compute.regionHealthChecks.get -
compute.regionHealthChecks. list -
compute.regionHealthChecks. listEffectiveTags -
compute.regionHealthChecks. listTagBindings -
compute.regionHealthChecks. update -
compute.regionHealthChecks.use -
compute.regionHealthChecks. useReadOnly
compute.
-
compute.regionNetworkEndpointGroups. attachNetworkEndpoints -
compute.regionNetworkEndpointGroups. create -
compute.regionNetworkEndpointGroups. createTagBinding -
compute.regionNetworkEndpointGroups. delete -
compute.regionNetworkEndpointGroups. deleteTagBinding -
compute.regionNetworkEndpointGroups. detachNetworkEndpoints -
compute.regionNetworkEndpointGroups. get -
compute.regionNetworkEndpointGroups. list -
compute.regionNetworkEndpointGroups. listEffectiveTags -
compute.regionNetworkEndpointGroups. listTagBindings -
compute.regionNetworkEndpointGroups. use
compute.
-
compute.regionNotificationEndpoints. create -
compute.regionNotificationEndpoints. delete -
compute.regionNotificationEndpoints. get -
compute.regionNotificationEndpoints. list -
compute.regionNotificationEndpoints. update -
compute.regionNotificationEndpoints. use
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
-
compute.regionSslPolicies. create -
compute.regionSslPolicies. createTagBinding -
compute.regionSslPolicies. delete -
compute.regionSslPolicies. deleteTagBinding -
compute.regionSslPolicies.get -
compute.regionSslPolicies.list -
compute.regionSslPolicies. listAvailableFeatures -
compute.regionSslPolicies. listEffectiveTags -
compute.regionSslPolicies. listTagBindings -
compute.regionSslPolicies. update -
compute.regionSslPolicies.use
compute.
-
compute.regionTargetHttpProxies. create -
compute.regionTargetHttpProxies. createTagBinding -
compute.regionTargetHttpProxies. delete -
compute.regionTargetHttpProxies. deleteTagBinding -
compute.regionTargetHttpProxies. get -
compute.regionTargetHttpProxies. list -
compute.regionTargetHttpProxies. listEffectiveTags -
compute.regionTargetHttpProxies. listTagBindings -
compute.regionTargetHttpProxies. setUrlMap -
compute.regionTargetHttpProxies. use
compute.
-
compute.regionTargetHttpsProxies. create -
compute.regionTargetHttpsProxies. createTagBinding -
compute.regionTargetHttpsProxies. delete -
compute.regionTargetHttpsProxies. deleteTagBinding -
compute.regionTargetHttpsProxies. get -
compute.regionTargetHttpsProxies. list -
compute.regionTargetHttpsProxies. listEffectiveTags -
compute.regionTargetHttpsProxies. listTagBindings -
compute.regionTargetHttpsProxies. setSslCertificates -
compute.regionTargetHttpsProxies. setUrlMap -
compute.regionTargetHttpsProxies. update -
compute.regionTargetHttpsProxies. use
compute.
-
compute.regionTargetTcpProxies. create -
compute.regionTargetTcpProxies. createTagBinding -
compute.regionTargetTcpProxies. delete -
compute.regionTargetTcpProxies. deleteTagBinding -
compute.regionTargetTcpProxies. get -
compute.regionTargetTcpProxies. list -
compute.regionTargetTcpProxies. listEffectiveTags -
compute.regionTargetTcpProxies. listTagBindings -
compute.regionTargetTcpProxies. use
compute.regionUrlMaps.*
-
compute.regionUrlMaps.create -
compute.regionUrlMaps. createTagBinding -
compute.regionUrlMaps.delete -
compute.regionUrlMaps. deleteTagBinding -
compute.regionUrlMaps.get -
compute.regionUrlMaps. invalidateCache -
compute.regionUrlMaps.list -
compute.regionUrlMaps. listEffectiveTags -
compute.regionUrlMaps. listTagBindings -
compute.regionUrlMaps.update -
compute.regionUrlMaps.use -
compute.regionUrlMaps.validate
compute.regions.*
-
compute.regions.get -
compute.regions.list
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservationSubBlocks.*
-
compute.reservationSubBlocks. get -
compute.reservationSubBlocks. list -
compute.reservationSubBlocks. performMaintenance
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
-
compute.resourcePolicies. create -
compute.resourcePolicies. delete -
compute.resourcePolicies.get -
compute.resourcePolicies. getIamPolicy -
compute.resourcePolicies.list -
compute.resourcePolicies. setIamPolicy -
compute.resourcePolicies. update -
compute.resourcePolicies.use -
compute.resourcePolicies. useReadOnly
compute.routers.*
-
compute.routers.create -
compute.routers. createTagBinding -
compute.routers.delete -
compute.routers. deleteRoutePolicy -
compute.routers. deleteTagBinding -
compute.routers.get -
compute.routers.getRoutePolicy -
compute.routers.list -
compute.routers.listBgpRoutes -
compute.routers. listEffectiveTags -
compute.routers. listRoutePolicies -
compute.routers. listTagBindings -
compute.routers.update -
compute.routers. updateRoutePolicy -
compute.routers.use
compute.routes.*
-
compute.routes.create -
compute.routes. createTagBinding -
compute.routes.delete -
compute.routes. deleteTagBinding -
compute.routes.get -
compute.routes.list -
compute.routes. listEffectiveTags -
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.serviceAttachments.*
-
compute.serviceAttachments. create -
compute.serviceAttachments. createTagBinding -
compute.serviceAttachments. delete -
compute.serviceAttachments. deleteTagBinding -
compute.serviceAttachments.get -
compute.serviceAttachments. getIamPolicy -
compute.serviceAttachments. list -
compute.serviceAttachments. listEffectiveTags -
compute.serviceAttachments. listTagBindings -
compute.serviceAttachments. setIamPolicy -
compute.serviceAttachments. update -
compute.serviceAttachments.use
compute.snapshots.*
-
compute.snapshots.create -
compute.snapshots. createTagBinding -
compute.snapshots.delete -
compute.snapshots. deleteTagBinding -
compute.snapshots.get -
compute.snapshots.getIamPolicy -
compute.snapshots.list -
compute.snapshots. listEffectiveTags -
compute.snapshots. listTagBindings -
compute.snapshots.setIamPolicy -
compute.snapshots.setLabels -
compute.snapshots.useReadOnly
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.*
-
compute.sslPolicies.create -
compute.sslPolicies. createTagBinding -
compute.sslPolicies.delete -
compute.sslPolicies. deleteTagBinding -
compute.sslPolicies.get -
compute.sslPolicies.list -
compute.sslPolicies. listAvailableFeatures -
compute.sslPolicies. listEffectiveTags -
compute.sslPolicies. listTagBindings -
compute.sslPolicies.update -
compute.sslPolicies.use
compute.storagePools.*
-
compute.storagePools.create -
compute.storagePools.delete -
compute.storagePools.get -
compute.storagePools. getIamPolicy -
compute.storagePools.list -
compute.storagePools. setIamPolicy -
compute.storagePools.update -
compute.storagePools.use
compute.subnetworks.*
-
compute.subnetworks.create -
compute.subnetworks. createTagBinding -
compute.subnetworks.delete -
compute.subnetworks. deleteTagBinding -
compute.subnetworks. expandIpCidrRange -
compute.subnetworks.get -
compute.subnetworks. getIamPolicy -
compute.subnetworks.list -
compute.subnetworks. listEffectiveTags -
compute.subnetworks. listTagBindings -
compute.subnetworks.mirror -
compute.subnetworks. setIamPolicy -
compute.subnetworks. setPrivateIpGoogleAccess -
compute.subnetworks.update -
compute.subnetworks.use -
compute.subnetworks. useExternalIp -
compute.subnetworks. usePeerMigration
compute.targetGrpcProxies.*
-
compute.targetGrpcProxies. create -
compute.targetGrpcProxies. createTagBinding -
compute.targetGrpcProxies. delete -
compute.targetGrpcProxies. deleteTagBinding -
compute.targetGrpcProxies.get -
compute.targetGrpcProxies.list -
compute.targetGrpcProxies. listEffectiveTags -
compute.targetGrpcProxies. listTagBindings -
compute.targetGrpcProxies. update -
compute.targetGrpcProxies.use
compute.targetHttpProxies.*
-
compute.targetHttpProxies. create -
compute.targetHttpProxies. createTagBinding -
compute.targetHttpProxies. delete -
compute.targetHttpProxies. deleteTagBinding -
compute.targetHttpProxies.get -
compute.targetHttpProxies.list -
compute.targetHttpProxies. listEffectiveTags -
compute.targetHttpProxies. listTagBindings -
compute.targetHttpProxies. setUrlMap -
compute.targetHttpProxies. update -
compute.targetHttpProxies.use
compute.targetHttpsProxies.*
-
compute.targetHttpsProxies. create -
compute.targetHttpsProxies. createTagBinding -
compute.targetHttpsProxies. delete -
compute.targetHttpsProxies. deleteTagBinding -
compute.targetHttpsProxies.get -
compute.targetHttpsProxies. list -
compute.targetHttpsProxies. listEffectiveTags -
compute.targetHttpsProxies. listTagBindings -
compute.targetHttpsProxies. setCertificateMap -
compute.targetHttpsProxies. setQuicOverride -
compute.targetHttpsProxies. setSslCertificates -
compute.targetHttpsProxies. setSslPolicy -
compute.targetHttpsProxies. setUrlMap -
compute.targetHttpsProxies. update -
compute.targetHttpsProxies.use
compute.targetInstances.*
-
compute.targetInstances.create -
compute.targetInstances. createTagBinding -
compute.targetInstances.delete -
compute.targetInstances. deleteTagBinding -
compute.targetInstances.get -
compute.targetInstances.list -
compute.targetInstances. listEffectiveTags -
compute.targetInstances. listTagBindings -
compute.targetInstances. setSecurityPolicy -
compute.targetInstances.use
compute.targetPools.*
-
compute.targetPools. addHealthCheck -
compute.targetPools. addInstance -
compute.targetPools.create -
compute.targetPools. createTagBinding -
compute.targetPools.delete -
compute.targetPools. deleteTagBinding -
compute.targetPools.get -
compute.targetPools.list -
compute.targetPools. listEffectiveTags -
compute.targetPools. listTagBindings -
compute.targetPools. removeHealthCheck -
compute.targetPools. removeInstance -
compute.targetPools. setSecurityPolicy -
compute.targetPools.update -
compute.targetPools.use
compute.targetSslProxies.*
-
compute.targetSslProxies. create -
compute.targetSslProxies. createTagBinding -
compute.targetSslProxies. delete -
compute.targetSslProxies. deleteTagBinding -
compute.targetSslProxies.get -
compute.targetSslProxies.list -
compute.targetSslProxies. listEffectiveTags -
compute.targetSslProxies. listTagBindings -
compute.targetSslProxies. setBackendService -
compute.targetSslProxies. setCertificateMap -
compute.targetSslProxies. setProxyHeader -
compute.targetSslProxies. setSslCertificates -
compute.targetSslProxies. setSslPolicy -
compute.targetSslProxies. update -
compute.targetSslProxies.use
compute.targetTcpProxies.*
-
compute.targetTcpProxies. create -
compute.targetTcpProxies. createTagBinding -
compute.targetTcpProxies. delete -
compute.targetTcpProxies. deleteTagBinding -
compute.targetTcpProxies.get -
compute.targetTcpProxies.list -
compute.targetTcpProxies. listEffectiveTags -
compute.targetTcpProxies. listTagBindings -
compute.targetTcpProxies. update -
compute.targetTcpProxies.use
compute.targetVpnGateways.*
-
compute.targetVpnGateways. create -
compute.targetVpnGateways. createTagBinding -
compute.targetVpnGateways. delete -
compute.targetVpnGateways. deleteTagBinding -
compute.targetVpnGateways.get -
compute.targetVpnGateways.list -
compute.targetVpnGateways. listEffectiveTags -
compute.targetVpnGateways. listTagBindings -
compute.targetVpnGateways. setLabels -
compute.targetVpnGateways.use
compute.urlMaps.*
-
compute.urlMaps.create -
compute.urlMaps. createTagBinding -
compute.urlMaps.delete -
compute.urlMaps. deleteTagBinding -
compute.urlMaps.get -
compute.urlMaps. invalidateCache -
compute.urlMaps.list -
compute.urlMaps. listEffectiveTags -
compute.urlMaps. listTagBindings -
compute.urlMaps.update -
compute.urlMaps.use -
compute.urlMaps.validate
compute.vpnGateways.*
-
compute.vpnGateways.create -
compute.vpnGateways. createTagBinding -
compute.vpnGateways.delete -
compute.vpnGateways. deleteTagBinding -
compute.vpnGateways.get -
compute.vpnGateways.list -
compute.vpnGateways. listEffectiveTags -
compute.vpnGateways. listTagBindings -
compute.vpnGateways.setLabels -
compute.vpnGateways.use
compute.vpnTunnels.*
-
compute.vpnTunnels.create -
compute.vpnTunnels. createTagBinding -
compute.vpnTunnels.delete -
compute.vpnTunnels. deleteTagBinding -
compute.vpnTunnels.get -
compute.vpnTunnels.list -
compute.vpnTunnels. listEffectiveTags -
compute.vpnTunnels. listTagBindings -
compute.vpnTunnels.setLabels
compute.wireGroups.*
-
compute.wireGroups.create -
compute.wireGroups.delete -
compute.wireGroups.get -
compute.wireGroups.list -
compute.wireGroups.update
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
-
compute.zones.get -
compute.zones.list
dataflow.jobs.*
-
dataflow.jobs.cancel -
dataflow.jobs.create -
dataflow.jobs.get -
dataflow.jobs.list -
dataflow.jobs.snapshot -
dataflow.jobs.updateContents
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
-
dataflow.snapshots.delete -
dataflow.snapshots.get -
dataflow.snapshots.list
dataform.*
-
dataform.commentThreads.create -
dataform.commentThreads.delete -
dataform.commentThreads.get -
dataform.commentThreads.list -
dataform.commentThreads.update -
dataform.comments.create -
dataform.comments.delete -
dataform.comments.get -
dataform.comments.list -
dataform.comments.update -
dataform.compilationResults. create -
dataform.compilationResults. get -
dataform.compilationResults. list -
dataform.compilationResults. query -
dataform.config.get -
dataform.config.update -
dataform.locations.get -
dataform.locations.list -
dataform.releaseConfigs.create -
dataform.releaseConfigs.delete -
dataform.releaseConfigs.get -
dataform.releaseConfigs.list -
dataform.releaseConfigs.update -
dataform.repositories.commit -
dataform.repositories. computeAccessTokenStatus -
dataform.repositories.create -
dataform.repositories.delete -
dataform.repositories. fetchHistory -
dataform.repositories. fetchRemoteBranches -
dataform.repositories.get -
dataform.repositories. getIamPolicy -
dataform.repositories.list -
dataform.repositories. queryDirectoryContents -
dataform.repositories.readFile -
dataform.repositories. setIamPolicy -
dataform.repositories.update -
dataform.workflowConfigs. create -
dataform.workflowConfigs. delete -
dataform.workflowConfigs.get -
dataform.workflowConfigs.list -
dataform.workflowConfigs. update -
dataform.workflowInvocations. cancel -
dataform.workflowInvocations. create -
dataform.workflowInvocations. delete -
dataform.workflowInvocations. get -
dataform.workflowInvocations. list -
dataform.workflowInvocations. query -
dataform.workspaces.commit -
dataform.workspaces.create -
dataform.workspaces.delete -
dataform.workspaces. fetchFileDiff -
dataform.workspaces. fetchFileGitStatuses -
dataform.workspaces. fetchGitAheadBehind -
dataform.workspaces.get -
dataform.workspaces. getIamPolicy -
dataform.workspaces. installNpmPackages -
dataform.workspaces.list -
dataform.workspaces. makeDirectory -
dataform.workspaces. moveDirectory -
dataform.workspaces.moveFile -
dataform.workspaces.pull -
dataform.workspaces.push -
dataform.workspaces. queryDirectoryContents -
dataform.workspaces.readFile -
dataform.workspaces. removeDirectory -
dataform.workspaces.removeFile -
dataform.workspaces.reset -
dataform.workspaces. searchFiles -
dataform.workspaces. setIamPolicy -
dataform.workspaces.writeFile
dataplex.datascans.*
-
dataplex.datascans.create -
dataplex.datascans.delete -
dataplex.datascans.get -
dataplex.datascans.getData -
dataplex.datascans. getIamPolicy -
dataplex.datascans.list -
dataplex.datascans.run -
dataplex.datascans. setIamPolicy -
dataplex.datascans.update
dataplex.operations.get
dataplex.operations.list
dataplex.projects.search
dns.
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.buckets.create
logging.
logging.buckets.delete
logging.
logging.buckets.get
logging.buckets.list
logging.
logging.
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
-
logging.exclusions.create -
logging.exclusions.delete -
logging.exclusions.get -
logging.exclusions.list -
logging.exclusions.update
logging.links.*
-
logging.links.create -
logging.links.delete -
logging.links.get -
logging.links.list
logging.locations.*
-
logging.locations.get -
logging.locations.list
logging.logEntries.create
logging.logEntries.route
logging.logMetrics.*
-
logging.logMetrics.create -
logging.logMetrics.delete -
logging.logMetrics.get -
logging.logMetrics.list -
logging.logMetrics.update
logging.logScopes.*
-
logging.logScopes.create -
logging.logScopes.delete -
logging.logScopes.get -
logging.logScopes.list -
logging.logScopes.update
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
-
logging.notificationRules. create -
logging.notificationRules. delete -
logging.notificationRules.get -
logging.notificationRules.list -
logging.notificationRules. update
logging.operations.*
-
logging.operations.cancel -
logging.operations.get -
logging.operations.list
logging.settings.*
-
logging.settings.get -
logging.settings.update
logging.sinks.*
-
logging.sinks.create -
logging.sinks.delete -
logging.sinks.get -
logging.sinks.list -
logging.sinks.update
logging.sqlAlerts.*
-
logging.sqlAlerts.create -
logging.sqlAlerts.update
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.
monitoring.
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.
monitoring.
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
-
monitoring.monitoredResourceDescriptors. get -
monitoring.monitoredResourceDescriptors. list
monitoring.
-
monitoring.notificationChannelDescriptors. get -
monitoring.notificationChannelDescriptors. list
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
-
monitoring.timeSeries.create -
monitoring.timeSeries.list
monitoring.
monitoring.
networkconnectivity.
-
networkconnectivity.internalRanges. create -
networkconnectivity.internalRanges. delete -
networkconnectivity.internalRanges. get -
networkconnectivity.internalRanges. getIamPolicy -
networkconnectivity.internalRanges. list -
networkconnectivity.internalRanges. setIamPolicy -
networkconnectivity.internalRanges. update
networkconnectivity.
-
networkconnectivity.locations. get -
networkconnectivity.locations. list
networkconnectivity.
-
networkconnectivity.operations. cancel -
networkconnectivity.operations. delete -
networkconnectivity.operations. get -
networkconnectivity.operations. list
networkconnectivity.
-
networkconnectivity.policyBasedRoutes. create -
networkconnectivity.policyBasedRoutes. delete -
networkconnectivity.policyBasedRoutes. get -
networkconnectivity.policyBasedRoutes. getIamPolicy -
networkconnectivity.policyBasedRoutes. list -
networkconnectivity.policyBasedRoutes. setIamPolicy
networkconnectivity.
-
networkconnectivity.regionalEndpoints. create -
networkconnectivity.regionalEndpoints. delete -
networkconnectivity.regionalEndpoints. get -
networkconnectivity.regionalEndpoints. list
networkconnectivity.
-
networkconnectivity.serviceClasses. create -
networkconnectivity.serviceClasses. delete -
networkconnectivity.serviceClasses. get -
networkconnectivity.serviceClasses. list -
networkconnectivity.serviceClasses. update -
networkconnectivity.serviceClasses. use
networkconnectivity.
-
networkconnectivity.serviceConnectionMaps. create -
networkconnectivity.serviceConnectionMaps. delete -
networkconnectivity.serviceConnectionMaps. get -
networkconnectivity.serviceConnectionMaps. list -
networkconnectivity.serviceConnectionMaps. update
networkconnectivity.
-
networkconnectivity.serviceConnectionPolicies. create -
networkconnectivity.serviceConnectionPolicies. delete -
networkconnectivity.serviceConnectionPolicies. get -
networkconnectivity.serviceConnectionPolicies. list -
networkconnectivity.serviceConnectionPolicies. update
networkmanagement.
networkmanagement.
networksecurity.
-
networksecurity.addressGroups. create -
networksecurity.addressGroups. delete -
networksecurity.addressGroups. get -
networksecurity.addressGroups. getIamPolicy -
networksecurity.addressGroups. list -
networksecurity.addressGroups. setIamPolicy -
networksecurity.addressGroups. update -
networksecurity.addressGroups. use
networksecurity.
-
networksecurity.authorizationPolicies. create -
networksecurity.authorizationPolicies. delete -
networksecurity.authorizationPolicies. get -
networksecurity.authorizationPolicies. getIamPolicy -
networksecurity.authorizationPolicies. list -
networksecurity.authorizationPolicies. setIamPolicy -
networksecurity.authorizationPolicies. update -
networksecurity.authorizationPolicies. use
networksecurity.
-
networksecurity.authzPolicies. create -
networksecurity.authzPolicies. delete -
networksecurity.authzPolicies. get -
networksecurity.authzPolicies. getIamPolicy -
networksecurity.authzPolicies. list -
networksecurity.authzPolicies. setIamPolicy -
networksecurity.authzPolicies. update
networksecurity.
-
networksecurity.backendAuthenticationConfigs. create -
networksecurity.backendAuthenticationConfigs. delete -
networksecurity.backendAuthenticationConfigs. get -
networksecurity.backendAuthenticationConfigs. list -
networksecurity.backendAuthenticationConfigs. update -
networksecurity.backendAuthenticationConfigs. use
networksecurity.
-
networksecurity.clientTlsPolicies. create -
networksecurity.clientTlsPolicies. delete -
networksecurity.clientTlsPolicies. get -
networksecurity.clientTlsPolicies. getIamPolicy -
networksecurity.clientTlsPolicies. list -
networksecurity.clientTlsPolicies. setIamPolicy -
networksecurity.clientTlsPolicies. update -
networksecurity.clientTlsPolicies. use
networksecurity.
-
networksecurity.firewallEndpointAssociations. create -
networksecurity.firewallEndpointAssociations. delete -
networksecurity.firewallEndpointAssociations. get -
networksecurity.firewallEndpointAssociations. list -
networksecurity.firewallEndpointAssociations. update
networksecurity.
-
networksecurity.firewallEndpoints. create -
networksecurity.firewallEndpoints. delete -
networksecurity.firewallEndpoints. get -
networksecurity.firewallEndpoints. list -
networksecurity.firewallEndpoints. update -
networksecurity.firewallEndpoints. use
networksecurity.
-
networksecurity.gatewaySecurityPolicies. create -
networksecurity.gatewaySecurityPolicies. delete -
networksecurity.gatewaySecurityPolicies. get -
networksecurity.gatewaySecurityPolicies. list -
networksecurity.gatewaySecurityPolicies. update -
networksecurity.gatewaySecurityPolicies. use
networksecurity.
-
networksecurity.gatewaySecurityPolicyRules. create -
networksecurity.gatewaySecurityPolicyRules. delete -
networksecurity.gatewaySecurityPolicyRules. get -
networksecurity.gatewaySecurityPolicyRules. list -
networksecurity.gatewaySecurityPolicyRules. update -
networksecurity.gatewaySecurityPolicyRules. use
networksecurity.locations.*
-
networksecurity.locations.get -
networksecurity.locations.list
networksecurity.operations.*
-
networksecurity.operations. cancel -
networksecurity.operations. delete -
networksecurity.operations.get -
networksecurity.operations. list
networksecurity.
-
networksecurity.sacAttachments. create -
networksecurity.sacAttachments. delete -
networksecurity.sacAttachments. get -
networksecurity.sacAttachments. list
networksecurity.sacRealms.*
-
networksecurity.sacRealms. create -
networksecurity.sacRealms. delete -
networksecurity.sacRealms.get -
networksecurity.sacRealms.list
networksecurity.
-
networksecurity.securityProfileGroups. create -
networksecurity.securityProfileGroups. delete -
networksecurity.securityProfileGroups. get -
networksecurity.securityProfileGroups. list -
networksecurity.securityProfileGroups. update -
networksecurity.securityProfileGroups. use
networksecurity.
-
networksecurity.securityProfiles. create -
networksecurity.securityProfiles. delete -
networksecurity.securityProfiles. get -
networksecurity.securityProfiles. list -
networksecurity.securityProfiles. update -
networksecurity.securityProfiles. use
networksecurity.
-
networksecurity.serverTlsPolicies. create -
networksecurity.serverTlsPolicies. delete -
networksecurity.serverTlsPolicies. get -
networksecurity.serverTlsPolicies. getIamPolicy -
networksecurity.serverTlsPolicies. list -
networksecurity.serverTlsPolicies. setIamPolicy -
networksecurity.serverTlsPolicies. update -
networksecurity.serverTlsPolicies. use
networksecurity.
-
networksecurity.tlsInspectionPolicies. create -
networksecurity.tlsInspectionPolicies. delete -
networksecurity.tlsInspectionPolicies. get -
networksecurity.tlsInspectionPolicies. list -
networksecurity.tlsInspectionPolicies. update -
networksecurity.tlsInspectionPolicies. use
networksecurity.urlLists.*
-
networksecurity.urlLists. create -
networksecurity.urlLists. delete -
networksecurity.urlLists.get -
networksecurity.urlLists.list -
networksecurity.urlLists. update -
networksecurity.urlLists.use
networkservices.*
-
networkservices.authzExtensions. create -
networkservices.authzExtensions. delete -
networkservices.authzExtensions. get -
networkservices.authzExtensions. list -
networkservices.authzExtensions. update -
networkservices.authzExtensions. use -
networkservices.endpointPolicies. create -
networkservices.endpointPolicies. delete -
networkservices.endpointPolicies. get -
networkservices.endpointPolicies. list -
networkservices.endpointPolicies. update -
networkservices.gateways. create -
networkservices.gateways. delete -
networkservices.gateways.get -
networkservices.gateways.list -
networkservices.gateways. update -
networkservices.gateways.use -
networkservices.grpcRoutes. create -
networkservices.grpcRoutes. delete -
networkservices.grpcRoutes.get -
networkservices.grpcRoutes. list -
networkservices.grpcRoutes. update -
networkservices.httpFilters. create -
networkservices.httpFilters. delete -
networkservices.httpFilters. get -
networkservices.httpFilters. list -
networkservices.httpFilters. update -
networkservices.httpRoutes. create -
networkservices.httpRoutes. delete -
networkservices.httpRoutes.get -
networkservices.httpRoutes. list -
networkservices.httpRoutes. update -
networkservices.httpfilters. create -
networkservices.httpfilters. delete -
networkservices.httpfilters. get -
networkservices.httpfilters. getIamPolicy -
networkservices.httpfilters. list -
networkservices.httpfilters. setIamPolicy -
networkservices.httpfilters. update -
networkservices.httpfilters. use -
networkservices.lbEdgeExtensions. create -
networkservices.lbEdgeExtensions. delete -
networkservices.lbEdgeExtensions. get -
networkservices.lbEdgeExtensions. list -
networkservices.lbEdgeExtensions. update -
networkservices.lbRouteExtensions. create -
networkservices.lbRouteExtensions. delete -
networkservices.lbRouteExtensions. get -
networkservices.lbRouteExtensions. list -
networkservices.lbRouteExtensions. update -
networkservices.lbTrafficExtensions. create -
networkservices.lbTrafficExtensions. delete -
networkservices.lbTrafficExtensions. get -
networkservices.lbTrafficExtensions. list -
networkservices.lbTrafficExtensions. update -
networkservices.locations.get -
networkservices.locations.list -
networkservices.meshes.create -
networkservices.meshes.delete -
networkservices.meshes.get -
networkservices.meshes.list -
networkservices.meshes.update -
networkservices.meshes.use -
networkservices.operations. cancel -
networkservices.operations. delete -
networkservices.operations.get -
networkservices.operations. list -
networkservices.route_views. get -
networkservices.route_views. list -
networkservices.serviceBindings. create -
networkservices.serviceBindings. delete -
networkservices.serviceBindings. get -
networkservices.serviceBindings. list -
networkservices.serviceBindings. update -
networkservices.serviceLbPolicies. create -
networkservices.serviceLbPolicies. delete -
networkservices.serviceLbPolicies. get -
networkservices.serviceLbPolicies. list -
networkservices.serviceLbPolicies. update -
networkservices.tcpRoutes. create -
networkservices.tcpRoutes. delete -
networkservices.tcpRoutes.get -
networkservices.tcpRoutes.list -
networkservices.tcpRoutes. update -
networkservices.tlsRoutes. create -
networkservices.tlsRoutes. delete -
networkservices.tlsRoutes.get -
networkservices.tlsRoutes.list -
networkservices.tlsRoutes. update -
networkservices.wasmPlugins. create -
networkservices.wasmPlugins. delete -
networkservices.wasmPlugins. get -
networkservices.wasmPlugins. list -
networkservices.wasmPlugins. update -
networkservices.wasmPlugins. use
observability.scopes.get
opsconfigmonitoring.
orgpolicy.policy.get
pubsub.*
-
pubsub.messageTransforms. validate -
pubsub.schemas.attach -
pubsub.schemas.commit -
pubsub.schemas.create -
pubsub.schemas.delete -
pubsub.schemas.get -
pubsub.schemas.getIamPolicy -
pubsub.schemas.list -
pubsub.schemas.listRevisions -
pubsub.schemas.rollback -
pubsub.schemas.setIamPolicy -
pubsub.schemas.validate -
pubsub.snapshots.create -
pubsub.snapshots.delete -
pubsub.snapshots.get -
pubsub.snapshots.getIamPolicy -
pubsub.snapshots.list -
pubsub.snapshots.seek -
pubsub.snapshots.setIamPolicy -
pubsub.snapshots.update -
pubsub.subscriptions.consume -
pubsub.subscriptions.create -
pubsub.subscriptions.delete -
pubsub.subscriptions.get -
pubsub.subscriptions. getIamPolicy -
pubsub.subscriptions.list -
pubsub.subscriptions. setIamPolicy -
pubsub.subscriptions.update -
pubsub.topics. attachSubscription -
pubsub.topics.create -
pubsub.topics.delete -
pubsub.topics. detachSubscription -
pubsub.topics.get -
pubsub.topics.getIamPolicy -
pubsub.topics.list -
pubsub.topics.publish -
pubsub.topics.setIamPolicy -
pubsub.topics.update -
pubsub.topics.updateTag
recommender.
-
recommender.dataflowDiagnosticsInsights. get -
recommender.dataflowDiagnosticsInsights. list -
recommender.dataflowDiagnosticsInsights. update
recommender.
-
recommender.iamPolicyInsights. get -
recommender.iamPolicyInsights. list -
recommender.iamPolicyInsights. update
recommender.
-
recommender.iamPolicyRecommendations. get -
recommender.iamPolicyRecommendations. list -
recommender.iamPolicyRecommendations. update
recommender.
-
recommender.storageBucketSoftDeleteInsights. get -
recommender.storageBucketSoftDeleteInsights. list -
recommender.storageBucketSoftDeleteInsights. update
recommender.
-
recommender.storageBucketSoftDeleteRecommendations. get -
recommender.storageBucketSoftDeleteRecommendations. list -
recommender.storageBucketSoftDeleteRecommendations. update
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.services.get
servicenetworking.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
stackdriver.projects.get
stackdriver.
storage.anywhereCaches.*
-
storage.anywhereCaches.create -
storage.anywhereCaches.disable -
storage.anywhereCaches.get -
storage.anywhereCaches.list -
storage.anywhereCaches.pause -
storage.anywhereCaches.resume -
storage.anywhereCaches.update
storage.bucketOperations.*
-
storage.bucketOperations. cancel -
storage.bucketOperations.get -
storage.bucketOperations.list
storage.buckets.*
-
storage.buckets.create -
storage.buckets. createTagBinding -
storage.buckets.delete -
storage.buckets. deleteTagBinding -
storage.buckets. enableObjectRetention -
storage.buckets.get -
storage.buckets.getIamPolicy -
storage.buckets.getIpFilter -
storage.buckets. getObjectInsights -
storage.buckets.list -
storage.buckets. listEffectiveTags -
storage.buckets. listTagBindings -
storage.buckets.relocate -
storage.buckets.restore -
storage.buckets.setIamPolicy -
storage.buckets.setIpFilter -
storage.buckets.update
storage.folders.*
-
storage.folders.create -
storage.folders.delete -
storage.folders.get -
storage.folders.list -
storage.folders.rename
storage.intelligenceConfigs.*
-
storage.intelligenceConfigs. get -
storage.intelligenceConfigs. update
storage.managedFolders.*
-
storage.managedFolders.create -
storage.managedFolders.delete -
storage.managedFolders.get -
storage.managedFolders. getIamPolicy -
storage.managedFolders.list -
storage.managedFolders. setIamPolicy
storage.multipartUploads.*
-
storage.multipartUploads.abort -
storage.multipartUploads. create -
storage.multipartUploads.list -
storage.multipartUploads. listParts
storage.objects.*
-
storage.objects.create -
storage.objects.delete -
storage.objects.get -
storage.objects.getIamPolicy -
storage.objects.list -
storage.objects.move -
storage.objects. overrideUnlockedRetention -
storage.objects.restore -
storage.objects.setIamPolicy -
storage.objects.setRetention -
storage.objects.update
trafficdirector.*
-
trafficdirector.networks. getConfigs -
trafficdirector.networks. reportMetrics
Dataflow Viewer
( roles/
)
Provides read-only access to all Dataflow-related resources.
Lowest-level resources where you can grant this role:
- Project
dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.get
dataflow.snapshots.list
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Worker
( roles/
)
Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.
Lowest-level resources where you can grant this role:
- Project
autoscaling.
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
compute.
compute.instances.delete
compute.
dataflow.jobs.get
dataflow.shuffle.*
-
dataflow.shuffle.read -
dataflow.shuffle.write
dataflow.streamingWorkItems.*
-
dataflow.streamingWorkItems. ImportState -
dataflow.streamingWorkItems. commitWork -
dataflow.streamingWorkItems. getData -
dataflow.streamingWorkItems. getWork -
dataflow.streamingWorkItems. getWorkerMetadata
dataflow.workItems.*
-
dataflow.workItems.lease -
dataflow.workItems.sendMessage -
dataflow.workItems.update
logging.logEntries.create
logging.logEntries.route
monitoring.timeSeries.create
storage.buckets.get
storage.objects.create
storage.objects.get
The Dataflow Worker role ( roles/dataflow.worker
)
provides the permissions necessary for a Compute Engine service account to run work units
for an Apache Beam pipeline. The Dataflow Worker role
must be assigned to a service account that is able to request
and update work from the Dataflow service.
The Dataflow Service Agent role ( roles/dataflow.serviceAgent
)
is used exclusively by the Dataflow service account
. It provides the service account access to managed
resources in your Google Cloud project to run Dataflow
jobs. It is assigned automatically to the service account when you enable the
Dataflow API for your project from the APIs page
in the Google Cloud console.
Creating jobs
To a create a job, the roles/dataflow.admin
role includes
the minimal set of permissions required to run and examine jobs.
Alternatively, the following permissions are required:
- The
roles/dataflow.developerrole, to instantiate the job itself. - The
roles/compute.viewerrole, to access machine type information and view other settings. - The
roles/storage.objectAdminrole, to provide permission to stage files on Cloud Storage.
Example role assignment
To illustrate the utility of the different Dataflow roles, consider the following breakdown:
- The developer who creates and examines jobs needs the
roles/iam.serviceAccountUserrole. - For more sophisticated permissions management, the developer interacting with the Dataflow job needs the
roles/dataflow.developerrole.- They need the
roles/storage.objectAdminor a related role to stage the required files. - For debugging and quota checking, they need the project
roles/compute.viewerrole. - Absent other role assignments, this role lets the developer create and cancel Dataflow jobs, but not interact with the individual VMs or access other Cloud services.
- They need the
- The worker service account
needs the
roles/dataflow.workerand theroles/dataflow.adminroles to process data for the Dataflow service.- To access job data, the worker service account needs other roles such as
roles/storage.objectAdmin. - To write to BigQuery tables, the worker service account needs the
roles/bigquery.dataEditorrole. - To read from a Pub/Sub topic or subscription, the worker service account needs the
roles/pubsub.editorrole.
- To access job data, the worker service account needs other roles such as
- If you're using a Shared VPC, the Shared VPC
subnetwork needs to be shared with the Dataflow
service account
and needs to have the Compute Network User role
assigned on the specified subnet.
- To see if the Shared VPC subnetwork is shared with the Dataflow service account, in the Google Cloud console, go to the Shared VPCpage and search for the subnet. In the Shared withcolumn, you can see whether the VPC subnetwork is shared with the Dataflow service account. For more information, see Guidelines for specifying a subnetwork parameter for Shared VPC .
- The host project's Compute Engine service account
,
the service project's Dataflow worker service account
,
and the service account used to submit the job need to have the following roles:
-
roles/dataflow.admin -
roles/compute.networkUser -
roles/storage.objectViewer
-
Assigning Dataflow roles
Dataflow roles can currently be set on organizations and projects only.
To manage roles at the organizational level, see Access control for organizations using IAM .
To set project-level roles, see Granting, changing, and revoking access to resources .
