GKE Multi-Cloud roles and permissions

This page lists the IAM roles and permissions for GKE Multi-Cloud. To search through all roles and permissions, see the role and permission index .

GKE Multi-Cloud roles

Role

Permissions

Anthos Multi-cloud Admin

( roles/ gkemulticloud.admin )

Admin access to Anthos Multi-cloud resources.

gkemulticloud.*

gkemulticloud. attachedClusters. create
gkemulticloud. attachedClusters. delete
gkemulticloud. attachedClusters. generateInstallManifest
gkemulticloud. attachedClusters. get
gkemulticloud. attachedClusters. import
gkemulticloud. attachedClusters. list
gkemulticloud. attachedClusters. update
gkemulticloud. attachedServerConfigs. get
gkemulticloud. awsClusters. create
gkemulticloud. awsClusters. delete
gkemulticloud. awsClusters. generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud. awsClusters. getAdminKubeconfig
gkemulticloud.awsClusters.list
gkemulticloud. awsClusters. update
gkemulticloud. awsNodePools. create
gkemulticloud. awsNodePools. delete
gkemulticloud.awsNodePools.get
gkemulticloud. awsNodePools. list
gkemulticloud. awsNodePools. update
gkemulticloud. awsServerConfigs. get
gkemulticloud. azureClients. create
gkemulticloud. azureClients. delete
gkemulticloud.azureClients.get
gkemulticloud. azureClients. list
gkemulticloud. azureClusters. create
gkemulticloud. azureClusters. delete
gkemulticloud. azureClusters. generateAccessToken
gkemulticloud. azureClusters. get
gkemulticloud. azureClusters. getAdminKubeconfig
gkemulticloud. azureClusters. list
gkemulticloud. azureClusters. update
gkemulticloud. azureNodePools. create
gkemulticloud. azureNodePools. delete
gkemulticloud. azureNodePools. get
gkemulticloud. azureNodePools. list
gkemulticloud. azureNodePools. update
gkemulticloud. azureServerConfigs. get
gkemulticloud. operations. cancel
gkemulticloud. operations. delete
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Anthos Multi-Cloud Container Service Agent

( roles/ gkemulticloud.containerServiceAgent )

Grants the Anthos Multi-Cloud Container Service Account access to manage resources.

binaryauthorization. platformPolicies. evaluatePolicy

binaryauthorization. platformPolicies. get

binaryauthorization. platformPolicies. list

binaryauthorization. policy. evaluatePolicy

binaryauthorization.policy.get

cloudnotifications. activities. list

kubernetesmetadata.*

kubernetesmetadata. metadata. config
kubernetesmetadata. metadata. publish
kubernetesmetadata. metadata. snapshot

logging.logEntries.create

logging.logEntries.route

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring. alertPolicies. listEffectiveTags

monitoring. alertPolicies. listTagBindings

monitoring.dashboards.get

monitoring.dashboards.list

monitoring. dashboards. listEffectiveTags

monitoring. dashboards. listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring. metricDescriptors. create

monitoring. metricDescriptors. get

monitoring. metricDescriptors. list

monitoring. monitoredResourceDescriptors.*

monitoring. monitoredResourceDescriptors. get
monitoring. monitoredResourceDescriptors. list

monitoring. notificationChannelDescriptors.*

monitoring. notificationChannelDescriptors. get
monitoring. notificationChannelDescriptors. list

monitoring. notificationChannels. get

monitoring. notificationChannels. list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

monitoring. uptimeCheckConfigs. get

monitoring. uptimeCheckConfigs. list

opsconfigmonitoring.*

opsconfigmonitoring. resourceMetadata. list
opsconfigmonitoring. resourceMetadata. write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

stackdriver.projects.get

stackdriver. resourceMetadata. list

Anthos Multi-Cloud Control Plane Machine Service Agent

( roles/ gkemulticloud.controlPlaneMachineServiceAgent )

Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources.

artifactregistry. dockerimages. get

artifactregistry. repositories. downloadArtifacts

artifactregistry. repositories. get

serviceusage.services.use

Anthos Multi-Cloud Node Pool Machine Service Agent

( roles/ gkemulticloud.nodePoolMachineServiceAgent )

Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources.

artifactregistry. dockerimages. get

artifactregistry. repositories. downloadArtifacts

artifactregistry. repositories. get

serviceusage.services.use

Anthos Multi-Cloud Service Agent

( roles/ gkemulticloud.serviceAgent )

Grants the Anthos Multi-Cloud Service Account access to manage resources.

gkehub.features.*

gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update

gkehub.fleet.*

gkehub.fleet.create
gkehub.fleet.createFreeTrial
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.fleet.update
gkehub.fleet.updateFreeTrial

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.membershipbindings.*

gkehub. membershipbindings. create
gkehub. membershipbindings. delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub. membershipbindings. update

gkehub.membershipfeatures.*

gkehub. membershipfeatures. create
gkehub. membershipfeatures. delete
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub. membershipfeatures. update

gkehub.memberships.*

gkehub.memberships.create
gkehub.memberships.delete
gkehub. memberships. generateConnectManifest
gkehub.memberships.get
gkehub. memberships. getIamPolicy
gkehub.memberships.list
gkehub. memberships. setIamPolicy
gkehub.memberships.update

gkehub.namespaces.*

gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update

gkehub.operations.*

gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list

gkehub.rbacrolebindings.*

gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub. scopes. listBoundMemberships

gkehub.scopes.update

gkemulticloud. awsClusters. delete

gkemulticloud. awsNodePools. delete

gkemulticloud. azureClients. delete

gkemulticloud. azureClusters. delete

gkemulticloud. azureNodePools. delete

resourcemanager.projects.get

resourcemanager.projects.list

Anthos Multi-cloud Telemetry Writer

( roles/ gkemulticloud.telemetryWriter )

Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.

kubernetesmetadata.*

kubernetesmetadata. metadata. config
kubernetesmetadata. metadata. publish
kubernetesmetadata. metadata. snapshot

logging.logEntries.create

logging.logEntries.route

monitoring. metricDescriptors. create

monitoring. metricDescriptors. get

monitoring. metricDescriptors. list

monitoring. monitoredResourceDescriptors.*

monitoring. monitoredResourceDescriptors. get
monitoring. monitoredResourceDescriptors. list

monitoring.timeSeries.create

opsconfigmonitoring. resourceMetadata. write

Anthos Multi-cloud Viewer

( roles/ gkemulticloud.viewer )

Viewer access to Anthos Multi-cloud resources.

gkemulticloud. attachedClusters. generateInstallManifest

gkemulticloud. attachedClusters. get

gkemulticloud. attachedClusters. list

gkemulticloud. attachedServerConfigs. get

gkemulticloud. awsClusters. generateAccessToken

gkemulticloud.awsClusters.get

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.get

gkemulticloud. awsNodePools. list

gkemulticloud. awsServerConfigs. get

gkemulticloud.azureClients.get

gkemulticloud. azureClients. list

gkemulticloud. azureClusters. generateAccessToken

gkemulticloud. azureClusters. get

gkemulticloud. azureClusters. list

gkemulticloud. azureNodePools. get

gkemulticloud. azureNodePools. list

gkemulticloud. azureServerConfigs. get

gkemulticloud.operations.get

gkemulticloud.operations.list

gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

GKE Multi-Cloud permissions

Permission

Included in roles

`gkemulticloud. attachedClusters. create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. attachedClusters. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. attachedClusters. generateInstallManifest`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. attachedClusters. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. attachedClusters. import`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. attachedClusters. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. attachedClusters. update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. attachedServerConfigs. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. awsClusters. create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. awsClusters. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Service agent roles

Anthos Multi-Cloud Service Agent ( roles/ gkemulticloud.serviceAgent )

`gkemulticloud. awsClusters. generateAccessToken`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud.awsClusters.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

Service agent roles

GKE Hub Service Agent ( roles/ gkehub.serviceAgent )

`gkemulticloud. awsClusters. getAdminKubeconfig`

Owner ( roles/ owner )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud.awsClusters.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. awsClusters. update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. awsNodePools. create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. awsNodePools. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Service agent roles

Anthos Multi-Cloud Service Agent ( roles/ gkemulticloud.serviceAgent )

`gkemulticloud.awsNodePools.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. awsNodePools. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. awsNodePools. update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. awsServerConfigs. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. azureClients. create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. azureClients. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Service agent roles

Anthos Multi-Cloud Service Agent ( roles/ gkemulticloud.serviceAgent )

`gkemulticloud.azureClients.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. azureClients. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. azureClusters. create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. azureClusters. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Service agent roles

Anthos Multi-Cloud Service Agent ( roles/ gkemulticloud.serviceAgent )

`gkemulticloud. azureClusters. generateAccessToken`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. azureClusters. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

Service agent roles

GKE Hub Service Agent ( roles/ gkehub.serviceAgent )

`gkemulticloud. azureClusters. getAdminKubeconfig`

Owner ( roles/ owner )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. azureClusters. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. azureClusters. update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. azureNodePools. create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. azureNodePools. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Service agent roles

Anthos Multi-Cloud Service Agent ( roles/ gkemulticloud.serviceAgent )

`gkemulticloud. azureNodePools. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. azureNodePools. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. azureNodePools. update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. azureServerConfigs. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud. operations. cancel`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud. operations. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

`gkemulticloud.operations.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud.operations.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`gkemulticloud.operations.wait`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Anthos Multi-cloud Admin ( roles/ gkemulticloud.admin )

Anthos Multi-cloud Viewer ( roles/ gkemulticloud.viewer )

Support User ( roles/ iam.supportUser )

GKE Multi-Cloud roles and permissions Stay organized with collections Save and categorize content based on your preferences.