Access control with IAM

To limit access for users within a project or organization, you can use Identity and Access Management (IAM) roles for Dataflow. You can control access to Dataflow-related resources, as opposed to granting users the Viewer, Editor, or Owner role to the entire Google Cloud Platform project.

This page focuses on how to use Dataflow's IAM roles. For a detailed description of IAM and its features, see the IAM documentation .

Every Dataflow method requires the caller to have the necessary permissions. For a list of the permissions and roles Dataflow supports, see the following section.

Permissions and roles

This section summarizes the permissions and roles Dataflow IAM supports.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method	Required Permissions
`dataflow.jobs.create`	`dataflow.jobs.create`
`dataflow.jobs.cancel`	`dataflow.jobs.cancel`
`dataflow.jobs.updateContents`	`dataflow.jobs.updateContents`
`dataflow.jobs.list`	`dataflow.jobs.list`
`dataflow.jobs.get`	`dataflow.jobs.get`
`dataflow.messages.list`	`dataflow.messages.list`
`dataflow.metrics.get`	`dataflow.metrics.get`
`dataflow.jobs.snapshot`	`dataflow.jobs.snapshot`

Roles

The following table lists the Dataflow IAM roles with a corresponding list of Dataflow-related permissions each role includes. Every permission is applicable to a particular resource type. For a list of permissions, see the Rolespage in the Google Cloud console .

Role

Permissions

Dataflow Admin

( roles/ dataflow.admin )

Minimal role for creating and managing dataflow jobs.

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.locations.*

cloudbuild.locations.get
cloudbuild.locations.list

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms. projects. showEffectiveAutokeyConfig

compute.machineTypes.get

compute.projects.get

compute.regions.list

compute.zones.list

dataflow.jobs.*

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list

recommender. dataflowDiagnosticsInsights.*

recommender. dataflowDiagnosticsInsights. get
recommender. dataflowDiagnosticsInsights. list
recommender. dataflowDiagnosticsInsights. update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.create

storage.objects.get

storage.objects.list

Dataflow Developer

( roles/ dataflow.developer )

Provides the permissions necessary to execute and manipulate Dataflow jobs.

Lowest-level resources where you can grant this role:

Project

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.locations.*

cloudbuild.locations.get
cloudbuild.locations.list

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms. projects. showEffectiveAutokeyConfig

compute.projects.get

compute.regions.list

compute.zones.list

dataflow.jobs.*

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list

recommender. dataflowDiagnosticsInsights.*

recommender. dataflowDiagnosticsInsights. get
recommender. dataflowDiagnosticsInsights. list
recommender. dataflowDiagnosticsInsights. update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Dataflow Service Agent

( roles/ dataflow.serviceAgent )

Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.

backupdr. backupPlanAssociations. createForComputeDisk

backupdr. backupPlanAssociations. createForComputeInstance

backupdr. backupPlanAssociations. deleteForComputeDisk

backupdr. backupPlanAssociations. deleteForComputeInstance

backupdr. backupPlanAssociations. fetchForComputeDisk

backupdr. backupPlanAssociations. getForComputeDisk

backupdr. backupPlanAssociations. list

backupdr. backupPlanAssociations. triggerBackupForComputeDisk

backupdr. backupPlanAssociations. triggerBackupForComputeInstance

backupdr. backupPlanAssociations. updateForComputeDisk

backupdr. backupPlanAssociations. updateForComputeInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr. backupPlans. useForComputeDisk

backupdr. backupPlans. useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.locations.list

backupdr.operations.get

backupdr.operations.list

backupdr. serviceConfig. initialize

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery. capacityCommitments. create
bigquery. capacityCommitments. delete
bigquery. capacityCommitments. get
bigquery. capacityCommitments. list
bigquery. capacityCommitments. update

bigquery.config.*

bigquery.config.get
bigquery.config.update

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery. connections. getIamPolicy
bigquery.connections.list
bigquery. connections. setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery. dataPolicies. getIamPolicy

bigquery.dataPolicies.list

bigquery. dataPolicies. setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery. datasets. createTagBinding
bigquery.datasets.delete
bigquery. datasets. deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery. datasets. listEffectiveTags
bigquery. datasets. listSharedDatasetUsage
bigquery. datasets. listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.jobs.*

bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery. jobs. listExecutionMetadata
bigquery.jobs.update

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.objectRefs.*

bigquery.objectRefs.read
bigquery.objectRefs.write

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery. reservationAssignments.*

bigquery. reservationAssignments. create
bigquery. reservationAssignments. delete
bigquery. reservationAssignments. list
bigquery. reservationAssignments. search

bigquery.reservationGroups.*

bigquery. reservationGroups. create
bigquery. reservationGroups. delete
bigquery.reservationGroups.get
bigquery. reservationGroups. list

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery. reservations. listFailoverDatasets
bigquery.reservations.update
bigquery.reservations.use

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery. rowAccessPolicies. create

bigquery. rowAccessPolicies. delete

bigquery.rowAccessPolicies.get

bigquery. rowAccessPolicies. getIamPolicy

bigquery. rowAccessPolicies. list

bigquery. rowAccessPolicies. overrideTimeTravelRestrictions

bigquery. rowAccessPolicies. setIamPolicy

bigquery. rowAccessPolicies. update

bigquery.savedqueries.*

bigquery.savedqueries.create
bigquery.savedqueries.delete
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.savedqueries.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery. tables. createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery. tables. deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery. tables. listEffectiveTags
bigquery. tables. listTagBindings
bigquery.tables.replicateData
bigquery. tables. restoreSnapshot
bigquery.tables.setCategory
bigquery. tables. setColumnDataPolicy
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag

bigquery.transfers.*

bigquery.transfers.get
bigquery.transfers.update

bigquerymigration. translation. translate

clouddebugger.breakpoints.list

clouddebugger. breakpoints. listActive

clouddebugger. breakpoints. update

clouddebugger.debuggees.create

cloudnotifications. activities. list

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.*

compute.addresses.create
compute. addresses. createInternal
compute. addresses. createTagBinding
compute.addresses.delete
compute. addresses. deleteInternal
compute. addresses. deleteTagBinding
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.backendBuckets.*

compute. backendBuckets. addSignedUrlKey
compute.backendBuckets.create
compute. backendBuckets. createTagBinding
compute.backendBuckets.delete
compute. backendBuckets. deleteSignedUrlKey
compute. backendBuckets. deleteTagBinding
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute. backendBuckets. setIamPolicy
compute. backendBuckets. setSecurityPolicy
compute.backendBuckets.update
compute.backendBuckets.use

compute.backendServices.*

compute. backendServices. addSignedUrlKey
compute.backendServices.create
compute. backendServices. createTagBinding
compute.backendServices.delete
compute. backendServices. deleteSignedUrlKey
compute. backendServices. deleteTagBinding
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute. backendServices. setIamPolicy
compute. backendServices. setSecurityPolicy
compute.backendServices.update
compute.backendServices.use

compute.crossSiteNetworks.*

compute. crossSiteNetworks. create
compute. crossSiteNetworks. delete
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute. crossSiteNetworks. update

compute.diskSettings.*

compute.diskSettings.get
compute.diskSettings.update

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.*

compute. disks. addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. disks. removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute. disks. startAsyncReplication
compute. disks. stopAsyncReplication
compute. disks. stopGroupAsyncReplication
compute.disks.update
compute.disks.updateKmsKey
compute.disks.use
compute.disks.useReadOnly

compute.externalVpnGateways.*

compute. externalVpnGateways. create
compute. externalVpnGateways. createTagBinding
compute. externalVpnGateways. delete
compute. externalVpnGateways. deleteTagBinding
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute. externalVpnGateways. setLabels
compute. externalVpnGateways. use

compute.firewallPolicies.get

compute.firewallPolicies.list

compute. firewallPolicies. listEffectiveTags

compute. firewallPolicies. listTagBindings

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute. firewalls. listEffectiveTags

compute. firewalls. listTagBindings

compute.forwardingRules.*

compute.forwardingRules.create
compute. forwardingRules. createTagBinding
compute.forwardingRules.delete
compute. forwardingRules. deleteTagBinding
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute. forwardingRules. pscCreate
compute. forwardingRules. pscDelete
compute. forwardingRules. pscSetLabels
compute. forwardingRules. pscUpdate
compute. forwardingRules. setLabels
compute. forwardingRules. setTarget
compute.forwardingRules.update
compute.forwardingRules.use

compute.globalAddresses.*

compute.globalAddresses.create
compute. globalAddresses. createInternal
compute. globalAddresses. createTagBinding
compute.globalAddresses.delete
compute. globalAddresses. deleteInternal
compute. globalAddresses. deleteTagBinding
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalAddresses. setLabels
compute.globalAddresses.use

compute. globalForwardingRules.*

compute. globalForwardingRules. create
compute. globalForwardingRules. createTagBinding
compute. globalForwardingRules. delete
compute. globalForwardingRules. deleteTagBinding
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscCreate
compute. globalForwardingRules. pscDelete
compute. globalForwardingRules. pscSetLabels
compute. globalForwardingRules. pscUpdate
compute. globalForwardingRules. setLabels
compute. globalForwardingRules. setTarget
compute. globalForwardingRules. update

compute. globalNetworkEndpointGroups.*

compute. globalNetworkEndpointGroups. attachNetworkEndpoints
compute. globalNetworkEndpointGroups. create
compute. globalNetworkEndpointGroups. createTagBinding
compute. globalNetworkEndpointGroups. delete
compute. globalNetworkEndpointGroups. deleteTagBinding
compute. globalNetworkEndpointGroups. detachNetworkEndpoints
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute. globalNetworkEndpointGroups. use

compute.globalOperations.get

compute.globalOperations.list

compute. globalPublicDelegatedPrefixes. delete

compute. globalPublicDelegatedPrefixes. get

compute. globalPublicDelegatedPrefixes. list

compute. globalPublicDelegatedPrefixes. updatePolicy

compute.healthChecks.*

compute.healthChecks.create
compute. healthChecks. createTagBinding
compute.healthChecks.delete
compute. healthChecks. deleteTagBinding
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.healthChecks.update
compute.healthChecks.use
compute. healthChecks. useReadOnly

compute.httpHealthChecks.*

compute. httpHealthChecks. create
compute. httpHealthChecks. createTagBinding
compute. httpHealthChecks. delete
compute. httpHealthChecks. deleteTagBinding
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute. httpHealthChecks. update
compute.httpHealthChecks.use
compute. httpHealthChecks. useReadOnly

compute.httpsHealthChecks.*

compute. httpsHealthChecks. create
compute. httpsHealthChecks. createTagBinding
compute. httpsHealthChecks. delete
compute. httpsHealthChecks. deleteTagBinding
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. httpsHealthChecks. update
compute.httpsHealthChecks.use
compute. httpsHealthChecks. useReadOnly

compute.images.*

compute.images.create
compute. images. createTagBinding
compute.images.delete
compute. images. deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly

compute. instanceGroupManagers.*

compute. instanceGroupManagers. create
compute. instanceGroupManagers. createTagBinding
compute. instanceGroupManagers. delete
compute. instanceGroupManagers. deleteTagBinding
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute. instanceGroupManagers. update
compute. instanceGroupManagers. use

compute.instanceGroups.*

compute.instanceGroups.create
compute. instanceGroups. createTagBinding
compute.instanceGroups.delete
compute. instanceGroups. deleteTagBinding
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceSettings.get

compute.instanceTemplates.*

compute. instanceTemplates. create
compute. instanceTemplates. delete
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute. instanceTemplates. setIamPolicy
compute. instanceTemplates. useReadOnly

compute.instances.*

compute. instances. addAccessConfig
compute. instances. addNetworkInterface
compute. instances. addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute. instances. deleteAccessConfig
compute. instances. deleteNetworkInterface
compute. instances. deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute. instances. pscInterfaceCreate
compute. instances. removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute. instances. sendDiagnosticInterrupt
compute. instances. setDeletionProtection
compute. instances. setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute. instances. setMachineResources
compute. instances. setMachineType
compute.instances.setMetadata
compute. instances. setMinCpuPlatform
compute.instances.setName
compute. instances. setScheduling
compute. instances. setSecurityPolicy
compute. instances. setServiceAccount
compute. instances. setShieldedInstanceIntegrityPolicy
compute. instances. setShieldedVmIntegrityPolicy
compute.instances.setTags
compute. instances. simulateMaintenanceEvent
compute.instances.start
compute. instances. startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute. instances. updateAccessConfig
compute. instances. updateDisplayDevice
compute. instances. updateNetworkInterface
compute. instances. updateSecurity
compute. instances. updateShieldedInstanceConfig
compute. instances. updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.instantSnapshots.*

compute. instantSnapshots. create
compute. instantSnapshots. delete
compute. instantSnapshots. export
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. instantSnapshots. setIamPolicy
compute. instantSnapshots. setLabels
compute. instantSnapshots. useReadOnly

compute. interconnectAttachmentGroups.*

compute. interconnectAttachmentGroups. create
compute. interconnectAttachmentGroups. delete
compute. interconnectAttachmentGroups. get
compute. interconnectAttachmentGroups. list
compute. interconnectAttachmentGroups. patch

compute. interconnectAttachments.*

compute. interconnectAttachments. create
compute. interconnectAttachments. createTagBinding
compute. interconnectAttachments. delete
compute. interconnectAttachments. deleteTagBinding
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectAttachments. setLabels
compute. interconnectAttachments. update
compute. interconnectAttachments. use

compute.interconnectGroups.*

compute. interconnectGroups. create
compute. interconnectGroups. delete
compute.interconnectGroups.get
compute. interconnectGroups. list
compute. interconnectGroups. patch

compute. interconnectLocations.*

compute. interconnectLocations. get
compute. interconnectLocations. list

compute. interconnectRemoteLocations.*

compute. interconnectRemoteLocations. get
compute. interconnectRemoteLocations. list

compute.interconnects.*

compute.interconnects.create
compute. interconnects. createTagBinding
compute.interconnects.delete
compute. interconnects. deleteTagBinding
compute.interconnects.get
compute. interconnects. getMacsecConfig
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute. interconnects. setLabels
compute.interconnects.update
compute.interconnects.use

compute.licenseCodes.*

compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute. licenseCodes. setIamPolicy

compute.licenses.*

compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.licenses.update

compute.machineImages.*

compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute. machineImages. setIamPolicy
compute. machineImages. setLabels
compute. machineImages. useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.multiMig.*

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

compute.networkAttachments.*

compute. networkAttachments. create
compute. networkAttachments. createTagBinding
compute. networkAttachments. delete
compute. networkAttachments. deleteTagBinding
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkAttachments. setIamPolicy
compute. networkAttachments. update
compute.networkAttachments.use

compute. networkEndpointGroups.*

compute. networkEndpointGroups. attachNetworkEndpoints
compute. networkEndpointGroups. create
compute. networkEndpointGroups. createTagBinding
compute. networkEndpointGroups. delete
compute. networkEndpointGroups. deleteTagBinding
compute. networkEndpointGroups. detachNetworkEndpoints
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute. networkEndpointGroups. use

compute.networkProfiles.*

compute.networkProfiles.get
compute.networkProfiles.list

compute.networks.*

compute.networks.access
compute.networks.addPeering
compute.networks.create
compute. networks. createTagBinding
compute.networks.delete
compute. networks. deleteTagBinding
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.networks.mirror
compute.networks.removePeering
compute. networks. setFirewallPolicy
compute. networks. switchToCustomMode
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp

compute.packetMirrorings.get

compute.packetMirrorings.list

compute. packetMirrorings. listEffectiveTags

compute. packetMirrorings. listTagBindings

compute.projects.get

compute. publicDelegatedPrefixes. delete

compute. publicDelegatedPrefixes. get

compute. publicDelegatedPrefixes. list

compute. publicDelegatedPrefixes. listEffectiveTags

compute. publicDelegatedPrefixes. listTagBindings

compute. publicDelegatedPrefixes. update

compute. publicDelegatedPrefixes. updatePolicy

compute.regionBackendBuckets.*

compute. regionBackendBuckets. create
compute. regionBackendBuckets. createTagBinding
compute. regionBackendBuckets. delete
compute. regionBackendBuckets. deleteTagBinding
compute. regionBackendBuckets. get
compute. regionBackendBuckets. getIamPolicy
compute. regionBackendBuckets. list
compute. regionBackendBuckets. listEffectiveTags
compute. regionBackendBuckets. listTagBindings
compute. regionBackendBuckets. setIamPolicy
compute. regionBackendBuckets. update
compute. regionBackendBuckets. use

compute. regionBackendServices.*

compute. regionBackendServices. create
compute. regionBackendServices. createTagBinding
compute. regionBackendServices. delete
compute. regionBackendServices. deleteTagBinding
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionBackendServices. setIamPolicy
compute. regionBackendServices. setSecurityPolicy
compute. regionBackendServices. update
compute. regionBackendServices. use

compute. regionCompositeHealthChecks.*

compute. regionCompositeHealthChecks. create
compute. regionCompositeHealthChecks. delete
compute. regionCompositeHealthChecks. get
compute. regionCompositeHealthChecks. list
compute. regionCompositeHealthChecks. update

compute. regionFirewallPolicies. get

compute. regionFirewallPolicies. list

compute. regionFirewallPolicies. listEffectiveTags

compute. regionFirewallPolicies. listTagBindings

compute. regionFirewallPolicies. use

compute. regionHealthAggregationPolicies.*

compute. regionHealthAggregationPolicies. create
compute. regionHealthAggregationPolicies. delete
compute. regionHealthAggregationPolicies. get
compute. regionHealthAggregationPolicies. list
compute. regionHealthAggregationPolicies. update

compute. regionHealthCheckServices.*

compute. regionHealthCheckServices. create
compute. regionHealthCheckServices. delete
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute. regionHealthCheckServices. update
compute. regionHealthCheckServices. use

compute.regionHealthChecks.*

compute. regionHealthChecks. create
compute. regionHealthChecks. createTagBinding
compute. regionHealthChecks. delete
compute. regionHealthChecks. deleteTagBinding
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionHealthChecks. update
compute.regionHealthChecks.use
compute. regionHealthChecks. useReadOnly

compute.regionHealthSources.*

compute. regionHealthSources. create
compute. regionHealthSources. delete
compute. regionHealthSources. get
compute. regionHealthSources. list
compute. regionHealthSources. update

compute. regionNetworkEndpointGroups.*

compute. regionNetworkEndpointGroups. attachNetworkEndpoints
compute. regionNetworkEndpointGroups. create
compute. regionNetworkEndpointGroups. createTagBinding
compute. regionNetworkEndpointGroups. delete
compute. regionNetworkEndpointGroups. deleteTagBinding
compute. regionNetworkEndpointGroups. detachNetworkEndpoints
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNetworkEndpointGroups. use

compute. regionNotificationEndpoints.*

compute. regionNotificationEndpoints. create
compute. regionNotificationEndpoints. delete
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute. regionNotificationEndpoints. update
compute. regionNotificationEndpoints. use

compute.regionOperations.get

compute.regionOperations.list

compute. regionSecurityPolicies. get

compute. regionSecurityPolicies. list

compute. regionSecurityPolicies. listEffectiveTags

compute. regionSecurityPolicies. listTagBindings

compute. regionSecurityPolicies. use

compute. regionSslCertificates. get

compute. regionSslCertificates. list

compute. regionSslCertificates. listEffectiveTags

compute. regionSslCertificates. listTagBindings

compute.regionSslPolicies.*

compute. regionSslPolicies. create
compute. regionSslPolicies. createTagBinding
compute. regionSslPolicies. delete
compute. regionSslPolicies. deleteTagBinding
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionSslPolicies. update
compute.regionSslPolicies.use

compute. regionTargetHttpProxies.*

compute. regionTargetHttpProxies. create
compute. regionTargetHttpProxies. createTagBinding
compute. regionTargetHttpProxies. delete
compute. regionTargetHttpProxies. deleteTagBinding
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpProxies. setUrlMap
compute. regionTargetHttpProxies. use

compute. regionTargetHttpsProxies.*

compute. regionTargetHttpsProxies. create
compute. regionTargetHttpsProxies. createTagBinding
compute. regionTargetHttpsProxies. delete
compute. regionTargetHttpsProxies. deleteTagBinding
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetHttpsProxies. setSslCertificates
compute. regionTargetHttpsProxies. setUrlMap
compute. regionTargetHttpsProxies. update
compute. regionTargetHttpsProxies. use

compute. regionTargetTcpProxies.*

compute. regionTargetTcpProxies. create
compute. regionTargetTcpProxies. createTagBinding
compute. regionTargetTcpProxies. delete
compute. regionTargetTcpProxies. deleteTagBinding
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute. regionTargetTcpProxies. use

compute.regionUrlMaps.*

compute.regionUrlMaps.create
compute. regionUrlMaps. createTagBinding
compute.regionUrlMaps.delete
compute. regionUrlMaps. deleteTagBinding
compute.regionUrlMaps.get
compute. regionUrlMaps. invalidateCache
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservationBlocks.get

compute.reservationBlocks.list

compute.reservationSubBlocks.*

compute. reservationSubBlocks. get
compute. reservationSubBlocks. list
compute. reservationSubBlocks. performMaintenance
compute. reservationSubBlocks. reportFaulty

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute. resourcePolicies. create
compute. resourcePolicies. delete
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute. resourcePolicies. setIamPolicy
compute. resourcePolicies. update
compute.resourcePolicies.use
compute. resourcePolicies. useReadOnly

compute.routers.*

compute.routers.create
compute. routers. createTagBinding
compute.routers.delete
compute. routers. deleteRoutePolicy
compute. routers. deleteTagBinding
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routers.update
compute. routers. updateRoutePolicy
compute.routers.use

compute.routes.*

compute.routes.create
compute. routes. createTagBinding
compute.routes.delete
compute. routes. deleteTagBinding
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.list

compute. securityPolicies. listEffectiveTags

compute. securityPolicies. listTagBindings

compute.securityPolicies.use

compute.serviceAttachments.*

compute. serviceAttachments. create
compute. serviceAttachments. createTagBinding
compute. serviceAttachments. delete
compute. serviceAttachments. deleteTagBinding
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. serviceAttachments. setIamPolicy
compute. serviceAttachments. update
compute.serviceAttachments.use

compute.snapshots.*

compute.snapshots.create
compute. snapshots. createTagBinding
compute.snapshots.delete
compute. snapshots. deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.updateKmsKey
compute.snapshots.useReadOnly

compute.sslCertificates.get

compute.sslCertificates.list

compute. sslCertificates. listEffectiveTags

compute. sslCertificates. listTagBindings

compute.sslPolicies.*

compute.sslPolicies.create
compute. sslPolicies. createTagBinding
compute.sslPolicies.delete
compute. sslPolicies. deleteTagBinding
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.sslPolicies.update
compute.sslPolicies.use

compute.storagePools.*

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute. storagePools. setIamPolicy
compute.storagePools.update
compute.storagePools.use

compute.subnetworks.*

compute.subnetworks.create
compute. subnetworks. createTagBinding
compute.subnetworks.delete
compute. subnetworks. deleteTagBinding
compute. subnetworks. expandIpCidrRange
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.mirror
compute. subnetworks. setIamPolicy
compute. subnetworks. setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute. subnetworks. usePeerMigration

compute.targetGrpcProxies.*

compute. targetGrpcProxies. create
compute. targetGrpcProxies. createTagBinding
compute. targetGrpcProxies. delete
compute. targetGrpcProxies. deleteTagBinding
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute. targetGrpcProxies. update
compute.targetGrpcProxies.use

compute.targetHttpProxies.*

compute. targetHttpProxies. create
compute. targetHttpProxies. createTagBinding
compute. targetHttpProxies. delete
compute. targetHttpProxies. deleteTagBinding
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute. targetHttpProxies. setUrlMap
compute. targetHttpProxies. update
compute.targetHttpProxies.use

compute.targetHttpsProxies.*

compute. targetHttpsProxies. create
compute. targetHttpsProxies. createTagBinding
compute. targetHttpsProxies. delete
compute. targetHttpsProxies. deleteTagBinding
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute. targetHttpsProxies. setCertificateMap
compute. targetHttpsProxies. setQuicOverride
compute. targetHttpsProxies. setSslCertificates
compute. targetHttpsProxies. setSslPolicy
compute. targetHttpsProxies. setUrlMap
compute. targetHttpsProxies. update
compute.targetHttpsProxies.use

compute.targetInstances.*

compute.targetInstances.create
compute. targetInstances. createTagBinding
compute.targetInstances.delete
compute. targetInstances. deleteTagBinding
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute. targetInstances. setSecurityPolicy
compute.targetInstances.use

compute.targetPools.*

compute. targetPools. addHealthCheck
compute. targetPools. addInstance
compute.targetPools.create
compute. targetPools. createTagBinding
compute.targetPools.delete
compute. targetPools. deleteTagBinding
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute. targetPools. removeHealthCheck
compute. targetPools. removeInstance
compute. targetPools. setSecurityPolicy
compute.targetPools.update
compute.targetPools.use

compute.targetSslProxies.*

compute. targetSslProxies. create
compute. targetSslProxies. createTagBinding
compute. targetSslProxies. delete
compute. targetSslProxies. deleteTagBinding
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute. targetSslProxies. setBackendService
compute. targetSslProxies. setCertificateMap
compute. targetSslProxies. setProxyHeader
compute. targetSslProxies. setSslCertificates
compute. targetSslProxies. setSslPolicy
compute. targetSslProxies. update
compute.targetSslProxies.use

compute.targetTcpProxies.*

compute. targetTcpProxies. create
compute. targetTcpProxies. createTagBinding
compute. targetTcpProxies. delete
compute. targetTcpProxies. deleteTagBinding
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute. targetTcpProxies. update
compute.targetTcpProxies.use

compute.targetVpnGateways.*

compute. targetVpnGateways. create
compute. targetVpnGateways. createTagBinding
compute. targetVpnGateways. delete
compute. targetVpnGateways. deleteTagBinding
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute. targetVpnGateways. setLabels
compute.targetVpnGateways.use

compute.urlMaps.*

compute.urlMaps.create
compute. urlMaps. createTagBinding
compute.urlMaps.delete
compute. urlMaps. deleteTagBinding
compute.urlMaps.get
compute. urlMaps. invalidateCache
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate

compute.vpnGateways.*

compute.vpnGateways.create
compute. vpnGateways. createTagBinding
compute.vpnGateways.delete
compute. vpnGateways. deleteTagBinding
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnGateways.setLabels
compute.vpnGateways.use

compute.vpnTunnels.*

compute.vpnTunnels.create
compute. vpnTunnels. createTagBinding
compute.vpnTunnels.delete
compute. vpnTunnels. deleteTagBinding
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.vpnTunnels.setLabels

compute.wireGroups.*

compute.wireGroups.create
compute.wireGroups.delete
compute.wireGroups.get
compute.wireGroups.list
compute.wireGroups.update

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

dataflow.jobs.*

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list

dataform.*

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.get
dataform.commentThreads.list
dataform.commentThreads.update
dataform.comments.create
dataform.comments.delete
dataform.comments.get
dataform.comments.list
dataform.comments.update
dataform. compilationResults. create
dataform. compilationResults. get
dataform. compilationResults. list
dataform. compilationResults. query
dataform.config.get
dataform.config.update
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform. repositories. computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform. repositories. fetchHistory
dataform. repositories. fetchRemoteBranches
dataform.repositories.get
dataform. repositories. getIamPolicy
dataform.repositories.list
dataform. repositories. queryDirectoryContents
dataform.repositories.readFile
dataform. repositories. setIamPolicy
dataform.repositories.update
dataform. workflowConfigs. create
dataform. workflowConfigs. delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform. workflowConfigs. update
dataform. workflowInvocations. cancel
dataform. workflowInvocations. create
dataform. workflowInvocations. delete
dataform. workflowInvocations. get
dataform. workflowInvocations. list
dataform. workflowInvocations. query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform. workspaces. fetchFileDiff
dataform. workspaces. fetchFileGitStatuses
dataform. workspaces. fetchGitAheadBehind
dataform.workspaces.get
dataform. workspaces. getIamPolicy
dataform. workspaces. installNpmPackages
dataform.workspaces.list
dataform. workspaces. makeDirectory
dataform. workspaces. moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform. workspaces. queryDirectoryContents
dataform.workspaces.readFile
dataform. workspaces. removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform. workspaces. searchFiles
dataform. workspaces. setIamPolicy
dataform.workspaces.writeFile

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex. datascans. getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex. datascans. setIamPolicy
dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

dataplex.projects.search

dns. networks. targetWithPeeringZone

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam. serviceAccounts. getAccessToken

iam. serviceAccounts. implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

logging.buckets.create

logging. buckets. createTagBinding

logging.buckets.delete

logging. buckets. deleteTagBinding

logging.buckets.get

logging.buckets.list

logging. buckets. listEffectiveTags

logging. buckets. listTagBindings

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.links.*

logging.links.create
logging.links.delete
logging.links.get
logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.create

logging.logEntries.route

logging.logMetrics.*

logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update

logging.logScopes.*

logging.logScopes.create
logging.logScopes.delete
logging.logScopes.get
logging.logScopes.list
logging.logScopes.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

logging. notificationRules. create
logging. notificationRules. delete
logging.notificationRules.get
logging.notificationRules.list
logging. notificationRules. update

logging.operations.*

logging.operations.cancel
logging.operations.get
logging.operations.list

logging.settings.*

logging.settings.get
logging.settings.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.sqlAlerts.*

logging.sqlAlerts.create
logging.sqlAlerts.update

logging.views.create

logging.views.delete

logging.views.get

logging.views.getIamPolicy

logging.views.list

logging.views.update

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring. alertPolicies. listEffectiveTags

monitoring. alertPolicies. listTagBindings

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring. dashboards. listEffectiveTags

monitoring. dashboards. listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring. metricDescriptors. create

monitoring. metricDescriptors. get

monitoring. metricDescriptors. list

monitoring. monitoredResourceDescriptors.*

monitoring. monitoredResourceDescriptors. get
monitoring. monitoredResourceDescriptors. list

monitoring. notificationChannelDescriptors.*

monitoring. notificationChannelDescriptors. get
monitoring. notificationChannelDescriptors. list

monitoring. notificationChannels. get

monitoring. notificationChannels. list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

monitoring. uptimeCheckConfigs. get

monitoring. uptimeCheckConfigs. list

networkconnectivity. internalRanges.*

networkconnectivity. internalRanges. create
networkconnectivity. internalRanges. delete
networkconnectivity. internalRanges. get
networkconnectivity. internalRanges. getIamPolicy
networkconnectivity. internalRanges. list
networkconnectivity. internalRanges. setIamPolicy
networkconnectivity. internalRanges. update

networkconnectivity. locations.*

networkconnectivity. locations. get
networkconnectivity. locations. list

networkconnectivity. operations.*

networkconnectivity. operations. cancel
networkconnectivity. operations. delete
networkconnectivity. operations. get
networkconnectivity. operations. list

networkconnectivity. policyBasedRoutes.*

networkconnectivity. policyBasedRoutes. create
networkconnectivity. policyBasedRoutes. delete
networkconnectivity. policyBasedRoutes. get
networkconnectivity. policyBasedRoutes. getIamPolicy
networkconnectivity. policyBasedRoutes. list
networkconnectivity. policyBasedRoutes. setIamPolicy

networkconnectivity. regionalEndpoints.*

networkconnectivity. regionalEndpoints. create
networkconnectivity. regionalEndpoints. delete
networkconnectivity. regionalEndpoints. get
networkconnectivity. regionalEndpoints. list

networkconnectivity. serviceClasses.*

networkconnectivity. serviceClasses. create
networkconnectivity. serviceClasses. delete
networkconnectivity. serviceClasses. get
networkconnectivity. serviceClasses. list
networkconnectivity. serviceClasses. update
networkconnectivity. serviceClasses. use

networkconnectivity. serviceConnectionMaps.*

networkconnectivity. serviceConnectionMaps. create
networkconnectivity. serviceConnectionMaps. delete
networkconnectivity. serviceConnectionMaps. get
networkconnectivity. serviceConnectionMaps. list
networkconnectivity. serviceConnectionMaps. update

networkconnectivity. serviceConnectionPolicies.*

networkconnectivity. serviceConnectionPolicies. create
networkconnectivity. serviceConnectionPolicies. delete
networkconnectivity. serviceConnectionPolicies. get
networkconnectivity. serviceConnectionPolicies. list
networkconnectivity. serviceConnectionPolicies. update

networkmanagement. connectivitytests. get

networkmanagement. connectivitytests. list

networksecurity. addressGroups.*

networksecurity. addressGroups. create
networksecurity. addressGroups. delete
networksecurity. addressGroups. get
networksecurity. addressGroups. getIamPolicy
networksecurity. addressGroups. list
networksecurity. addressGroups. setIamPolicy
networksecurity. addressGroups. update
networksecurity. addressGroups. use

networksecurity. authorizationPolicies.*

networksecurity. authorizationPolicies. create
networksecurity. authorizationPolicies. delete
networksecurity. authorizationPolicies. get
networksecurity. authorizationPolicies. getIamPolicy
networksecurity. authorizationPolicies. list
networksecurity. authorizationPolicies. setIamPolicy
networksecurity. authorizationPolicies. update
networksecurity. authorizationPolicies. use

networksecurity. authzPolicies.*

networksecurity. authzPolicies. create
networksecurity. authzPolicies. delete
networksecurity. authzPolicies. get
networksecurity. authzPolicies. getIamPolicy
networksecurity. authzPolicies. list
networksecurity. authzPolicies. setIamPolicy
networksecurity. authzPolicies. update

networksecurity. backendAuthenticationConfigs.*

networksecurity. backendAuthenticationConfigs. create
networksecurity. backendAuthenticationConfigs. delete
networksecurity. backendAuthenticationConfigs. get
networksecurity. backendAuthenticationConfigs. list
networksecurity. backendAuthenticationConfigs. update
networksecurity. backendAuthenticationConfigs. use

networksecurity. clientTlsPolicies.*

networksecurity. clientTlsPolicies. create
networksecurity. clientTlsPolicies. delete
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. getIamPolicy
networksecurity. clientTlsPolicies. list
networksecurity. clientTlsPolicies. setIamPolicy
networksecurity. clientTlsPolicies. update
networksecurity. clientTlsPolicies. use

networksecurity. firewallEndpointAssociations.*

networksecurity. firewallEndpointAssociations. create
networksecurity. firewallEndpointAssociations. delete
networksecurity. firewallEndpointAssociations. get
networksecurity. firewallEndpointAssociations. list
networksecurity. firewallEndpointAssociations. update

networksecurity. firewallEndpoints.*

networksecurity. firewallEndpoints. create
networksecurity. firewallEndpoints. delete
networksecurity. firewallEndpoints. get
networksecurity. firewallEndpoints. list
networksecurity. firewallEndpoints. update
networksecurity. firewallEndpoints. use

networksecurity. gatewaySecurityPolicies.*

networksecurity. gatewaySecurityPolicies. create
networksecurity. gatewaySecurityPolicies. delete
networksecurity. gatewaySecurityPolicies. get
networksecurity. gatewaySecurityPolicies. list
networksecurity. gatewaySecurityPolicies. update
networksecurity. gatewaySecurityPolicies. use

networksecurity. gatewaySecurityPolicyRules.*

networksecurity. gatewaySecurityPolicyRules. create
networksecurity. gatewaySecurityPolicyRules. delete
networksecurity. gatewaySecurityPolicyRules. get
networksecurity. gatewaySecurityPolicyRules. list
networksecurity. gatewaySecurityPolicyRules. update
networksecurity. gatewaySecurityPolicyRules. use

networksecurity.locations.*

networksecurity.locations.get
networksecurity.locations.list

networksecurity.operations.*

networksecurity. operations. cancel
networksecurity. operations. delete
networksecurity.operations.get
networksecurity. operations. list

networksecurity. sacAttachments.*

networksecurity. sacAttachments. create
networksecurity. sacAttachments. delete
networksecurity. sacAttachments. get
networksecurity. sacAttachments. list

networksecurity.sacRealms.*

networksecurity. sacRealms. create
networksecurity. sacRealms. delete
networksecurity.sacRealms.get
networksecurity.sacRealms.list

networksecurity. securityProfileGroups.*

networksecurity. securityProfileGroups. create
networksecurity. securityProfileGroups. delete
networksecurity. securityProfileGroups. get
networksecurity. securityProfileGroups. list
networksecurity. securityProfileGroups. update
networksecurity. securityProfileGroups. use

networksecurity. securityProfiles.*

networksecurity. securityProfiles. create
networksecurity. securityProfiles. delete
networksecurity. securityProfiles. get
networksecurity. securityProfiles. list
networksecurity. securityProfiles. update
networksecurity. securityProfiles. use

networksecurity. serverTlsPolicies.*

networksecurity. serverTlsPolicies. create
networksecurity. serverTlsPolicies. delete
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. getIamPolicy
networksecurity. serverTlsPolicies. list
networksecurity. serverTlsPolicies. setIamPolicy
networksecurity. serverTlsPolicies. update
networksecurity. serverTlsPolicies. use

networksecurity. tlsInspectionPolicies.*

networksecurity. tlsInspectionPolicies. create
networksecurity. tlsInspectionPolicies. delete
networksecurity. tlsInspectionPolicies. get
networksecurity. tlsInspectionPolicies. list
networksecurity. tlsInspectionPolicies. update
networksecurity. tlsInspectionPolicies. use

networksecurity.urlLists.*

networksecurity. urlLists. create
networksecurity. urlLists. delete
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity. urlLists. update
networksecurity.urlLists.use

networkservices.*

networkservices. authzExtensions. create
networkservices. authzExtensions. delete
networkservices. authzExtensions. get
networkservices. authzExtensions. list
networkservices. authzExtensions. update
networkservices. authzExtensions. use
networkservices. endpointPolicies. create
networkservices. endpointPolicies. delete
networkservices. endpointPolicies. get
networkservices. endpointPolicies. list
networkservices. endpointPolicies. update
networkservices. gateways. create
networkservices. gateways. delete
networkservices.gateways.get
networkservices.gateways.list
networkservices. gateways. update
networkservices.gateways.use
networkservices. grpcRoutes. create
networkservices. grpcRoutes. delete
networkservices.grpcRoutes.get
networkservices. grpcRoutes. list
networkservices. grpcRoutes. update
networkservices. httpFilters. create
networkservices. httpFilters. delete
networkservices. httpFilters. get
networkservices. httpFilters. list
networkservices. httpFilters. update
networkservices. httpRoutes. create
networkservices. httpRoutes. delete
networkservices.httpRoutes.get
networkservices. httpRoutes. list
networkservices. httpRoutes. update
networkservices. httpfilters. create
networkservices. httpfilters. delete
networkservices. httpfilters. get
networkservices. httpfilters. getIamPolicy
networkservices. httpfilters. list
networkservices. httpfilters. setIamPolicy
networkservices. httpfilters. update
networkservices. httpfilters. use
networkservices. lbEdgeExtensions. create
networkservices. lbEdgeExtensions. delete
networkservices. lbEdgeExtensions. get
networkservices. lbEdgeExtensions. list
networkservices. lbEdgeExtensions. update
networkservices. lbRouteExtensions. create
networkservices. lbRouteExtensions. delete
networkservices. lbRouteExtensions. get
networkservices. lbRouteExtensions. list
networkservices. lbRouteExtensions. update
networkservices. lbTcpExtensions. createForNetwork
networkservices. lbTcpExtensions. deleteForNetwork
networkservices. lbTcpExtensions. getForNetwork
networkservices. lbTcpExtensions. listForNetwork
networkservices. lbTcpExtensions. updateForNetwork
networkservices. lbTrafficExtensions. create
networkservices. lbTrafficExtensions. delete
networkservices. lbTrafficExtensions. get
networkservices. lbTrafficExtensions. list
networkservices. lbTrafficExtensions. update
networkservices.locations.get
networkservices.locations.list
networkservices.meshes.create
networkservices.meshes.delete
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.update
networkservices.meshes.use
networkservices. operations. cancel
networkservices. operations. delete
networkservices.operations.get
networkservices. operations. list
networkservices. route_views. get
networkservices. route_views. list
networkservices. serviceBindings. create
networkservices. serviceBindings. delete
networkservices. serviceBindings. get
networkservices. serviceBindings. list
networkservices. serviceBindings. update
networkservices. serviceLbPolicies. create
networkservices. serviceLbPolicies. delete
networkservices. serviceLbPolicies. get
networkservices. serviceLbPolicies. list
networkservices. serviceLbPolicies. update
networkservices. tcpRoutes. create
networkservices. tcpRoutes. delete
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices. tcpRoutes. update
networkservices. tlsRoutes. create
networkservices. tlsRoutes. delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices. tlsRoutes. update
networkservices. wasmPlugins. create
networkservices. wasmPlugins. delete
networkservices. wasmPlugins. get
networkservices. wasmPlugins. list
networkservices. wasmPlugins. update
networkservices. wasmPlugins. use

observability.scopes.get

opsconfigmonitoring. resourceMetadata. list

orgpolicy.policy.get

pubsub.*

pubsub. messageTransforms. validate
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.setIamPolicy
pubsub.schemas.validate
pubsub.snapshots.create
pubsub. snapshots. createTagBinding
pubsub.snapshots.delete
pubsub. snapshots. deleteTagBinding
pubsub.snapshots.get
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub. snapshots. listEffectiveTags
pubsub. snapshots. listTagBindings
pubsub.snapshots.seek
pubsub.snapshots.setIamPolicy
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub. subscriptions. createTagBinding
pubsub.subscriptions.delete
pubsub. subscriptions. deleteTagBinding
pubsub.subscriptions.get
pubsub. subscriptions. getIamPolicy
pubsub.subscriptions.list
pubsub. subscriptions. listEffectiveTags
pubsub. subscriptions. listTagBindings
pubsub. subscriptions. setIamPolicy
pubsub.subscriptions.update
pubsub. topics. attachSubscription
pubsub.topics.create
pubsub.topics.createTagBinding
pubsub.topics.delete
pubsub.topics.deleteTagBinding
pubsub. topics. detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub. topics. listEffectiveTags
pubsub.topics.listTagBindings
pubsub.topics.publish
pubsub.topics.setIamPolicy
pubsub.topics.update
pubsub.topics.updateTag

recommender. dataflowDiagnosticsInsights.*

recommender. dataflowDiagnosticsInsights. get
recommender. dataflowDiagnosticsInsights. list
recommender. dataflowDiagnosticsInsights. update

recommender. iamPolicyInsights.*

recommender. iamPolicyInsights. get
recommender. iamPolicyInsights. list
recommender. iamPolicyInsights. update

recommender. iamPolicyRecommendations.*

recommender. iamPolicyRecommendations. get
recommender. iamPolicyRecommendations. list
recommender. iamPolicyRecommendations. update

recommender. storageBucketSoftDeleteInsights.*

recommender. storageBucketSoftDeleteInsights. get
recommender. storageBucketSoftDeleteInsights. list
recommender. storageBucketSoftDeleteInsights. update

recommender. storageBucketSoftDeleteRecommendations.*

recommender. storageBucketSoftDeleteRecommendations. get
recommender. storageBucketSoftDeleteRecommendations. list
recommender. storageBucketSoftDeleteRecommendations. update

resourcemanager. hierarchyNodes. listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory. namespaces. create

servicedirectory. namespaces. delete

servicedirectory. services. create

servicedirectory. services. delete

servicenetworking. operations. get

servicenetworking. services. addPeering

servicenetworking. services. createPeeredDnsDomain

servicenetworking. services. deleteConnection

servicenetworking. services. deletePeeredDnsDomain

servicenetworking. services. disableVpcServiceControls

servicenetworking. services. enableVpcServiceControls

servicenetworking.services.get

servicenetworking. services. listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

stackdriver.projects.get

stackdriver. resourceMetadata. list

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage. bucketOperations. cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage. buckets. createTagBinding
storage.buckets.delete
storage. buckets. deleteTagBinding
storage. buckets. enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage. buckets. getObjectInsights
storage.buckets.list
storage. buckets. listEffectiveTags
storage. buckets. listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage. intelligenceConfigs. get
storage. intelligenceConfigs. update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage. managedFolders. getIamPolicy
storage.managedFolders.list
storage. managedFolders. setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage. multipartUploads. create
storage.multipartUploads.list
storage. multipartUploads. listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage. objects. overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

telemetry.metrics.write

trafficdirector.*

trafficdirector. networks. getConfigs
trafficdirector. networks. reportMetrics

Dataflow Viewer

( roles/ dataflow.viewer )

Provides read-only access to all Dataflow-related resources.

Lowest-level resources where you can grant this role:

Project

dataflow.jobs.get

dataflow.jobs.list

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.get

dataflow.snapshots.list

recommender. dataflowDiagnosticsInsights. get

recommender. dataflowDiagnosticsInsights. list

resourcemanager.projects.get

resourcemanager.projects.list

Dataflow Worker

( roles/ dataflow.worker )

Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.

Lowest-level resources where you can grant this role:

Project

autoscaling. sites. readRecommendations

autoscaling.sites.writeMetrics

autoscaling.sites.writeState

compute. instanceGroupManagers. update

compute.instances.delete

compute. instances. setDiskAutoDelete

dataflow.jobs.get

dataflow.shuffle.*

dataflow.shuffle.read
dataflow.shuffle.write

dataflow.streamingWorkItems.*

dataflow. streamingWorkItems. ImportState
dataflow. streamingWorkItems. commitWork
dataflow. streamingWorkItems. getData
dataflow. streamingWorkItems. getWork
dataflow. streamingWorkItems. getWorkerMetadata

dataflow.workItems.*

dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update

logging.logEntries.create

logging.logEntries.route

monitoring.timeSeries.create

storage.buckets.get

storage.objects.create

storage.objects.get

The Dataflow Worker role ( roles/dataflow.worker ) provides the permissions necessary for a Compute Engine service account to run work units for an Apache Beam pipeline. The Dataflow Worker role must be assigned to a service account that is able to request and update work from the Dataflow service.

The Dataflow Service Agent role ( roles/dataflow.serviceAgent ) is used exclusively by the Dataflow service account . It provides the service account access to managed resources in your Google Cloud project to run Dataflow jobs. It is assigned automatically to the service account when you enable the Dataflow API for your project from the APIs page in the Google Cloud console.

Creating jobs

To a create a job, the roles/dataflow.admin role includes the minimal set of permissions required to run and examine jobs.

Alternatively, the following permissions are required:

The roles/dataflow.developer role, to instantiate the job itself.
The roles/compute.viewer role, to access machine type information and view other settings.
The roles/storage.objectAdmin role, to provide permission to stage files on Cloud Storage.

Example role assignment

To illustrate the utility of the different Dataflow roles, consider the following breakdown:

The developer who creates and examines jobs needs the roles/iam.serviceAccountUser role.
For more sophisticated permissions management, the developer interacting with the Dataflow job needs the roles/dataflow.developer role.
- They need the roles/storage.objectAdmin or a related role to stage the required files.
- For debugging and quota checking, they need the project roles/compute.viewer role.
- Absent other role assignments, this role lets the developer create and cancel Dataflow jobs, but not interact with the individual VMs or access other Cloud services.
The worker service account needs the roles/dataflow.worker and the roles/dataflow.admin roles to process data for the Dataflow service.
- To access job data, the worker service account needs other roles such as roles/storage.objectAdmin .
- To write to BigQuery tables, the worker service account needs the roles/bigquery.dataEditor role.
- To read from a Pub/Sub topic or subscription, the worker service account needs the roles/pubsub.editor role.
If you're using a Shared VPC, the Shared VPC subnetwork needs to be shared with the Dataflow service account and needs to have the Compute Network User role assigned on the specified subnet.
- To see if the Shared VPC subnetwork is shared with the Dataflow service account, in the Google Cloud console, go to the Shared VPCpage and search for the subnet. In the Shared withcolumn, you can see whether the VPC subnetwork is shared with the Dataflow service account. For more information, see Guidelines for specifying a subnetwork parameter for Shared VPC .
- The host project's Compute Engine service account , the service project's Dataflow worker service account , and the service account used to submit the job need to have the following roles:
  - roles/dataflow.admin
  - roles/compute.networkUser
  - roles/storage.objectViewer

Assigning Dataflow roles

Dataflow roles can currently be set on organizations and projects only.

To manage roles at the organizational level, see Access control for organizations using IAM .

To set project-level roles, see Granting, changing, and revoking access to resources .