Create IAM allow policies

Autopilot Standard

This page explains how to create Identity and Access Management (IAM) allow policies for authorization in Google Kubernetes Engine (GKE).

Every Google Cloud, GKE, and Kubernetes API call requires that the account making the request has the necessary permissions. By default, no one except you can access your project or its resources. You can use IAM to manage who can access your project and what they are allowed to do. IAM permissions work alongside Kubernetes RBAC , which provides granular access controls for specific objects inside a cluster or namespace. IAM has a stronger focus on permissions at the project and organization level, though it does provide several predefined roles specific to GKE.

To grant users and service accounts access to your Google Cloud project, you add them as project team members , then assign roles to the team members. Roles define which Google Cloud resources an account can access and which operations they can perform.

In GKE, you can also use IAM to manage which users and service accounts can access, and perform operations in, your clusters.

This page is for Security specialists and Operators who use IAM allow policies to manage authorization in GKE clusters. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks .

Before reading this page, ensure that you're familiar with the following concepts:

Before you begin

Before you start, make sure that you have performed the following tasks:

Enable the Google Kubernetes Engine API.

Enable Google Kubernetes Engine API

If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running the gcloud components update command. Earlier gcloud CLI versions might not support running the commands in this document.
Note: For existing gcloud CLI installations, make sure to set the compute/region property . If you use primarily zonal clusters, set the compute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location . You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Use IAM with Kubernetes RBAC

Kubernetes has a built-in access control mechanism, role-based access control (RBAC) . RBAC controls access on a cluster and namespace level, while IAM works on the project level.

IAM and RBAC can work together. An entity must have sufficient RBAC and IAM permissions to work with resources in your cluster.

Understand IAM roles

The following sections describe the types of IAM roles that you can use to control access to your Google Cloud resources. For more information about each of these types of roles and when to use them, see Choose which type of role to use .

Predefined GKE roles

IAM provides predefined roles that grant access to specific Google Cloud resources and prevent unauthorized access to other resources.

IAM offers the following predefined roles for GKE.

Role

Permissions

Kubernetes Engine Admin

( roles/ container.admin )

Provides access to full management of clusters and their Kubernetes API objects.

To set a service account on nodes, you must also have the Service Account User role ( roles/iam.serviceAccountUser ) on the user-managed service account that your nodes will use .

Lowest-level resources where you can grant this role:

Project

container.*

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container. apiServices. getStatus
container.apiServices.list
container.apiServices.update
container. apiServices. updateStatus
container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update
container. backendConfigs. create
container. backendConfigs. delete
container.backendConfigs.get
container.backendConfigs.list
container. backendConfigs. update
container.bindings.create
container.bindings.delete
container.bindings.get
container.bindings.list
container.bindings.update
container. certificateSigningRequests. approve
container. certificateSigningRequests. create
container. certificateSigningRequests. delete
container. certificateSigningRequests. get
container. certificateSigningRequests. getStatus
container. certificateSigningRequests. list
container. certificateSigningRequests. update
container. certificateSigningRequests. updateStatus
container. clusterRoleBindings. create
container. clusterRoleBindings. delete
container. clusterRoleBindings. get
container. clusterRoleBindings. list
container. clusterRoleBindings. update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container. clusterRoles. escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.connect
container.clusters.create
container. clusters. createTagBinding
container.clusters.delete
container. clusters. deleteTagBinding
container.clusters.get
container. clusters. getCredentials
container.clusters.impersonate
container.clusters.list
container. clusters. listEffectiveTags
container. clusters. listTagBindings
container.clusters.update
container. componentStatuses. get
container. componentStatuses. list
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update
container. controllerRevisions. create
container. controllerRevisions. delete
container. controllerRevisions. get
container. controllerRevisions. list
container. controllerRevisions. update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container. cronJobs. updateStatus
container.csiDrivers.create
container.csiDrivers.delete
container.csiDrivers.get
container.csiDrivers.list
container.csiDrivers.update
container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update
container.csiNodes.create
container.csiNodes.delete
container.csiNodes.get
container.csiNodes.list
container.csiNodes.update
container. customResourceDefinitions. create
container. customResourceDefinitions. delete
container. customResourceDefinitions. get
container. customResourceDefinitions. getStatus
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container. customResourceDefinitions. updateStatus
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container. daemonSets. updateStatus
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container. deployments. getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container. deployments. updateScale
container. deployments. updateStatus
container. endpointSlices. create
container. endpointSlices. delete
container.endpointSlices.get
container.endpointSlices.list
container. endpointSlices. update
container.endpoints.create
container.endpoints.delete
container.endpoints.get
container.endpoints.list
container.endpoints.update
container.events.create
container.events.delete
container.events.get
container.events.list
container.events.update
container. frontendConfigs. create
container. frontendConfigs. delete
container.frontendConfigs.get
container.frontendConfigs.list
container. frontendConfigs. update
container. horizontalPodAutoscalers. create
container. horizontalPodAutoscalers. delete
container. horizontalPodAutoscalers. get
container. horizontalPodAutoscalers. getStatus
container. horizontalPodAutoscalers. list
container. horizontalPodAutoscalers. update
container. horizontalPodAutoscalers. updateStatus
container.hostServiceAgent.use
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container. ingresses. updateStatus
container. initializerConfigurations. create
container. initializerConfigurations. delete
container. initializerConfigurations. get
container. initializerConfigurations. list
container. initializerConfigurations. update
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus
container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update
container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update
container. localSubjectAccessReviews. create
container. localSubjectAccessReviews. list
container. managedCertificates. create
container. managedCertificates. delete
container. managedCertificates. get
container. managedCertificates. list
container. managedCertificates. update
container. mutatingWebhookConfigurations. create
container. mutatingWebhookConfigurations. delete
container. mutatingWebhookConfigurations. get
container. mutatingWebhookConfigurations. list
container. mutatingWebhookConfigurations. update
container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container. namespaces. updateStatus
container. networkPolicies. create
container. networkPolicies. delete
container.networkPolicies.get
container.networkPolicies.list
container. networkPolicies. update
container.nodes.create
container.nodes.delete
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.nodes.proxy
container.nodes.update
container.nodes.updateStatus
container.operations.get
container.operations.list
container. persistentVolumeClaims. create
container. persistentVolumeClaims. delete
container. persistentVolumeClaims. get
container. persistentVolumeClaims. getStatus
container. persistentVolumeClaims. list
container. persistentVolumeClaims. update
container. persistentVolumeClaims. updateStatus
container. persistentVolumes. create
container. persistentVolumes. delete
container. persistentVolumes. get
container. persistentVolumes. getStatus
container. persistentVolumes. list
container. persistentVolumes. update
container. persistentVolumes. updateStatus
container.petSets.create
container.petSets.delete
container.petSets.get
container.petSets.list
container.petSets.update
container.petSets.updateStatus
container. podDisruptionBudgets. create
container. podDisruptionBudgets. delete
container. podDisruptionBudgets. get
container. podDisruptionBudgets. getStatus
container. podDisruptionBudgets. list
container. podDisruptionBudgets. update
container. podDisruptionBudgets. updateStatus
container.podPresets.create
container.podPresets.delete
container.podPresets.get
container.podPresets.list
container.podPresets.update
container. podSecurityPolicies. create
container. podSecurityPolicies. delete
container. podSecurityPolicies. get
container. podSecurityPolicies. list
container. podSecurityPolicies. update
container. podSecurityPolicies. use
container.podTemplates.create
container.podTemplates.delete
container.podTemplates.get
container.podTemplates.list
container.podTemplates.update
container.pods.attach
container.pods.create
container.pods.delete
container.pods.evict
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.initialize
container.pods.list
container.pods.portForward
container.pods.proxy
container.pods.update
container.pods.updateStatus
container. priorityClasses. create
container. priorityClasses. delete
container.priorityClasses.get
container.priorityClasses.list
container. priorityClasses. update
container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container. replicaSets. getStatus
container.replicaSets.list
container.replicaSets.update
container. replicaSets. updateScale
container. replicaSets. updateStatus
container. replicationControllers. create
container. replicationControllers. delete
container. replicationControllers. get
container. replicationControllers. getScale
container. replicationControllers. getStatus
container. replicationControllers. list
container. replicationControllers. update
container. replicationControllers. updateScale
container. replicationControllers. updateStatus
container. resourceQuotas. create
container. resourceQuotas. delete
container.resourceQuotas.get
container. resourceQuotas. getStatus
container.resourceQuotas.list
container. resourceQuotas. update
container. resourceQuotas. updateStatus
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.get
container.roles.list
container.roles.update
container. runtimeClasses. create
container. runtimeClasses. delete
container.runtimeClasses.get
container.runtimeClasses.list
container. runtimeClasses. update
container.scheduledJobs.create
container.scheduledJobs.delete
container.scheduledJobs.get
container.scheduledJobs.list
container.scheduledJobs.update
container. scheduledJobs. updateStatus
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update
container. selfSubjectAccessReviews. create
container. selfSubjectAccessReviews. list
container. selfSubjectRulesReviews. create
container. serviceAccounts. create
container. serviceAccounts. createToken
container. serviceAccounts. delete
container.serviceAccounts.get
container.serviceAccounts.list
container. serviceAccounts. update
container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container. services. updateStatus
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container. statefulSets. getScale
container. statefulSets. getStatus
container.statefulSets.list
container.statefulSets.update
container. statefulSets. updateScale
container. statefulSets. updateStatus
container. storageClasses. create
container. storageClasses. delete
container.storageClasses.get
container.storageClasses.list
container. storageClasses. update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container. storageStates. getStatus
container.storageStates.list
container.storageStates.update
container. storageStates. updateStatus
container. storageVersionMigrations. create
container. storageVersionMigrations. delete
container. storageVersionMigrations. get
container. storageVersionMigrations. getStatus
container. storageVersionMigrations. list
container. storageVersionMigrations. update
container. storageVersionMigrations. updateStatus
container. subjectAccessReviews. create
container. subjectAccessReviews. list
container. thirdPartyObjects. create
container. thirdPartyObjects. delete
container. thirdPartyObjects. get
container. thirdPartyObjects. list
container. thirdPartyObjects. update
container. thirdPartyResources. create
container. thirdPartyResources. delete
container. thirdPartyResources. get
container. thirdPartyResources. list
container. thirdPartyResources. update
container.tokenReviews.create
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container. validatingWebhookConfigurations. create
container. validatingWebhookConfigurations. delete
container. validatingWebhookConfigurations. get
container. validatingWebhookConfigurations. list
container. validatingWebhookConfigurations. update
container. volumeAttachments. create
container. volumeAttachments. delete
container. volumeAttachments. get
container. volumeAttachments. getStatus
container. volumeAttachments. list
container. volumeAttachments. update
container. volumeAttachments. updateStatus
container. volumeSnapshotClasses. create
container. volumeSnapshotClasses. delete
container. volumeSnapshotClasses. get
container. volumeSnapshotClasses. list
container. volumeSnapshotClasses. update
container. volumeSnapshotContents. create
container. volumeSnapshotContents. delete
container. volumeSnapshotContents. get
container. volumeSnapshotContents. getStatus
container. volumeSnapshotContents. list
container. volumeSnapshotContents. update
container. volumeSnapshotContents. updateStatus
container. volumeSnapshots. create
container. volumeSnapshots. delete
container.volumeSnapshots.get
container. volumeSnapshots. getStatus
container.volumeSnapshots.list
container. volumeSnapshots. update
container. volumeSnapshots. updateStatus

recommender. containerDiagnosisInsights.*

recommender. containerDiagnosisInsights. get
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisInsights. update

recommender. containerDiagnosisRecommendations.*

recommender. containerDiagnosisRecommendations. get
recommender. containerDiagnosisRecommendations. list
recommender. containerDiagnosisRecommendations. update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender. networkAnalyzerGkeConnectivityInsights.*

recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeConnectivityInsights. update

recommender. networkAnalyzerGkeIpAddressInsights.*

recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. update

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine KMS Crypto Key User

( roles/ container.cloudKmsKeyUser )

Allow the Kubernetes Engine service agent in the cluster project to call KMS with user provided crypto keys to sign payloads.

cloudkms.cryptoKeyVersions.get

cloudkms. cryptoKeyVersions. useToSign

cloudkms. cryptoKeyVersions. useToVerify

cloudkms. cryptoKeyVersions. viewPublicKey

cloudkms.cryptoKeys.get

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Kubernetes Engine Cluster Admin

( roles/ container.clusterAdmin )

Provides access to management of clusters.

To set a service account on nodes, you must also have the Service Account User role ( roles/iam.serviceAccountUser ) on the user-managed service account that your nodes will use .

Lowest-level resources where you can grant this role:

Project

container.clusters.connect

container.clusters.create

container.clusters.delete

container.clusters.get

container.clusters.list

container.clusters.update

container.operations.*

container.operations.get
container.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine Cluster Viewer

( roles/ container.clusterViewer )

Provides access to get and list GKE clusters.

container.clusters.connect

container.clusters.get

container.clusters.list

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine Default Node Service Account

( roles/ container.defaultNodeServiceAccount )

Least privilege role to use as the default service account for GKE Nodes.

autoscaling.sites.writeMetrics

logging.logEntries.create

monitoring. metricDescriptors. create

monitoring. metricDescriptors. list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

Kubernetes Engine Default Node Service Agent

( roles/ container.defaultNodeServiceAgent )

Minimal set of permissions required by a GKE node to support standard capabilities such as logging and monitoring. Replaces the container.nodeServiceAgent role with a reduced permission set.

autoscaling.sites.writeMetrics

logging.logEntries.create

monitoring. metricDescriptors. create

monitoring. metricDescriptors. list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

serviceusage.services.use

telemetry.metrics.write

telemetry.traces.write

Kubernetes Engine Developer

( roles/ container.developer )

Provides access to Kubernetes API objects inside clusters.

Lowest-level resources where you can grant this role:

Project

container.apiServices.*

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container. apiServices. getStatus
container.apiServices.list
container.apiServices.update
container. apiServices. updateStatus

container.auditSinks.*

container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update

container.backendConfigs.*

container. backendConfigs. create
container. backendConfigs. delete
container.backendConfigs.get
container.backendConfigs.list
container. backendConfigs. update

container.bindings.*

container.bindings.create
container.bindings.delete
container.bindings.get
container.bindings.list
container.bindings.update

container. certificateSigningRequests. create

container. certificateSigningRequests. delete

container. certificateSigningRequests. get

container. certificateSigningRequests. list

container. certificateSigningRequests. update

container. certificateSigningRequests. updateStatus

container. clusterRoleBindings. get

container. clusterRoleBindings. list

container.clusterRoles.get

container.clusterRoles.list

container.clusters.connect

container.clusters.get

container.clusters.list

container.componentStatuses.*

container. componentStatuses. get
container. componentStatuses. list

container.configMaps.*

container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update

container. controllerRevisions. get

container. controllerRevisions. list

container.cronJobs.*

container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container. cronJobs. updateStatus

container.csiDrivers.*

container.csiDrivers.create
container.csiDrivers.delete
container.csiDrivers.get
container.csiDrivers.list
container.csiDrivers.update

container.csiNodeInfos.*

container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update

container.csiNodes.*

container.csiNodes.create
container.csiNodes.delete
container.csiNodes.get
container.csiNodes.list
container.csiNodes.update

container. customResourceDefinitions.*

container. customResourceDefinitions. create
container. customResourceDefinitions. delete
container. customResourceDefinitions. get
container. customResourceDefinitions. getStatus
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container. customResourceDefinitions. updateStatus

container.daemonSets.*

container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container. daemonSets. updateStatus

container.deployments.*

container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container. deployments. getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container. deployments. updateScale
container. deployments. updateStatus

container.endpointSlices.*

container. endpointSlices. create
container. endpointSlices. delete
container.endpointSlices.get
container.endpointSlices.list
container. endpointSlices. update

container.endpoints.*

container.endpoints.create
container.endpoints.delete
container.endpoints.get
container.endpoints.list
container.endpoints.update

container.events.*

container.events.create
container.events.delete
container.events.get
container.events.list
container.events.update

container.frontendConfigs.*

container. frontendConfigs. create
container. frontendConfigs. delete
container.frontendConfigs.get
container.frontendConfigs.list
container. frontendConfigs. update

container. horizontalPodAutoscalers.*

container. horizontalPodAutoscalers. create
container. horizontalPodAutoscalers. delete
container. horizontalPodAutoscalers. get
container. horizontalPodAutoscalers. getStatus
container. horizontalPodAutoscalers. list
container. horizontalPodAutoscalers. update
container. horizontalPodAutoscalers. updateStatus

container.ingresses.*

container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container. ingresses. updateStatus

container. initializerConfigurations.*

container. initializerConfigurations. create
container. initializerConfigurations. delete
container. initializerConfigurations. get
container. initializerConfigurations. list
container. initializerConfigurations. update

container.jobs.*

container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus

container.leases.*

container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update

container.limitRanges.*

container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update

container. localSubjectAccessReviews.*

container. localSubjectAccessReviews. create
container. localSubjectAccessReviews. list

container. managedCertificates.*

container. managedCertificates. create
container. managedCertificates. delete
container. managedCertificates. get
container. managedCertificates. list
container. managedCertificates. update

container. mutatingWebhookConfigurations. get

container. mutatingWebhookConfigurations. list

container.namespaces.*

container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container. namespaces. updateStatus

container.networkPolicies.*

container. networkPolicies. create
container. networkPolicies. delete
container.networkPolicies.get
container.networkPolicies.list
container. networkPolicies. update

container.nodes.*

container.nodes.create
container.nodes.delete
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.nodes.proxy
container.nodes.update
container.nodes.updateStatus

container. persistentVolumeClaims.*

container. persistentVolumeClaims. create
container. persistentVolumeClaims. delete
container. persistentVolumeClaims. get
container. persistentVolumeClaims. getStatus
container. persistentVolumeClaims. list
container. persistentVolumeClaims. update
container. persistentVolumeClaims. updateStatus

container.persistentVolumes.*

container. persistentVolumes. create
container. persistentVolumes. delete
container. persistentVolumes. get
container. persistentVolumes. getStatus
container. persistentVolumes. list
container. persistentVolumes. update
container. persistentVolumes. updateStatus

container.petSets.*

container.petSets.create
container.petSets.delete
container.petSets.get
container.petSets.list
container.petSets.update
container.petSets.updateStatus

container. podDisruptionBudgets.*

container. podDisruptionBudgets. create
container. podDisruptionBudgets. delete
container. podDisruptionBudgets. get
container. podDisruptionBudgets. getStatus
container. podDisruptionBudgets. list
container. podDisruptionBudgets. update
container. podDisruptionBudgets. updateStatus

container.podPresets.*

container.podPresets.create
container.podPresets.delete
container.podPresets.get
container.podPresets.list
container.podPresets.update

container. podSecurityPolicies. get

container. podSecurityPolicies. list

container.podTemplates.*

container.podTemplates.create
container.podTemplates.delete
container.podTemplates.get
container.podTemplates.list
container.podTemplates.update

container.pods.*

container.pods.attach
container.pods.create
container.pods.delete
container.pods.evict
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.initialize
container.pods.list
container.pods.portForward
container.pods.proxy
container.pods.update
container.pods.updateStatus

container.priorityClasses.*

container. priorityClasses. create
container. priorityClasses. delete
container.priorityClasses.get
container.priorityClasses.list
container. priorityClasses. update

container.replicaSets.*

container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container. replicaSets. getStatus
container.replicaSets.list
container.replicaSets.update
container. replicaSets. updateScale
container. replicaSets. updateStatus

container. replicationControllers.*

container. replicationControllers. create
container. replicationControllers. delete
container. replicationControllers. get
container. replicationControllers. getScale
container. replicationControllers. getStatus
container. replicationControllers. list
container. replicationControllers. update
container. replicationControllers. updateScale
container. replicationControllers. updateStatus

container.resourceQuotas.*

container. resourceQuotas. create
container. resourceQuotas. delete
container.resourceQuotas.get
container. resourceQuotas. getStatus
container.resourceQuotas.list
container. resourceQuotas. update
container. resourceQuotas. updateStatus

container.roleBindings.get

container.roleBindings.list

container.roles.get

container.roles.list

container.runtimeClasses.*

container. runtimeClasses. create
container. runtimeClasses. delete
container.runtimeClasses.get
container.runtimeClasses.list
container. runtimeClasses. update

container.scheduledJobs.*

container.scheduledJobs.create
container.scheduledJobs.delete
container.scheduledJobs.get
container.scheduledJobs.list
container.scheduledJobs.update
container. scheduledJobs. updateStatus

container.secrets.*

container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update

container. selfSubjectAccessReviews.*

container. selfSubjectAccessReviews. create
container. selfSubjectAccessReviews. list

container. selfSubjectRulesReviews. create

container.serviceAccounts.*

container. serviceAccounts. create
container. serviceAccounts. createToken
container. serviceAccounts. delete
container.serviceAccounts.get
container.serviceAccounts.list
container. serviceAccounts. update

container.services.*

container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container. services. updateStatus

container.statefulSets.*

container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container. statefulSets. getScale
container. statefulSets. getStatus
container.statefulSets.list
container.statefulSets.update
container. statefulSets. updateScale
container. statefulSets. updateStatus

container.storageClasses.*

container. storageClasses. create
container. storageClasses. delete
container.storageClasses.get
container.storageClasses.list
container. storageClasses. update

container.storageStates.*

container.storageStates.create
container.storageStates.delete
container.storageStates.get
container. storageStates. getStatus
container.storageStates.list
container.storageStates.update
container. storageStates. updateStatus

container. storageVersionMigrations.*

container. storageVersionMigrations. create
container. storageVersionMigrations. delete
container. storageVersionMigrations. get
container. storageVersionMigrations. getStatus
container. storageVersionMigrations. list
container. storageVersionMigrations. update
container. storageVersionMigrations. updateStatus

container. subjectAccessReviews.*

container. subjectAccessReviews. create
container. subjectAccessReviews. list

container.thirdPartyObjects.*

container. thirdPartyObjects. create
container. thirdPartyObjects. delete
container. thirdPartyObjects. get
container. thirdPartyObjects. list
container. thirdPartyObjects. update

container. thirdPartyResources.*

container. thirdPartyResources. create
container. thirdPartyResources. delete
container. thirdPartyResources. get
container. thirdPartyResources. list
container. thirdPartyResources. update

container.tokenReviews.create

container.updateInfos.*

container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update

container. validatingWebhookConfigurations. get

container. validatingWebhookConfigurations. list

container.volumeAttachments.*

container. volumeAttachments. create
container. volumeAttachments. delete
container. volumeAttachments. get
container. volumeAttachments. getStatus
container. volumeAttachments. list
container. volumeAttachments. update
container. volumeAttachments. updateStatus

container. volumeSnapshotClasses.*

container. volumeSnapshotClasses. create
container. volumeSnapshotClasses. delete
container. volumeSnapshotClasses. get
container. volumeSnapshotClasses. list
container. volumeSnapshotClasses. update

container. volumeSnapshotContents.*

container. volumeSnapshotContents. create
container. volumeSnapshotContents. delete
container. volumeSnapshotContents. get
container. volumeSnapshotContents. getStatus
container. volumeSnapshotContents. list
container. volumeSnapshotContents. update
container. volumeSnapshotContents. updateStatus

container.volumeSnapshots.*

container. volumeSnapshots. create
container. volumeSnapshots. delete
container.volumeSnapshots.get
container. volumeSnapshots. getStatus
container.volumeSnapshots.list
container. volumeSnapshots. update
container. volumeSnapshots. updateStatus

recommender. containerDiagnosisInsights.*

recommender. containerDiagnosisInsights. get
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisInsights. update

recommender. containerDiagnosisRecommendations.*

recommender. containerDiagnosisRecommendations. get
recommender. containerDiagnosisRecommendations. list
recommender. containerDiagnosisRecommendations. update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender. networkAnalyzerGkeConnectivityInsights.*

recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeConnectivityInsights. update

recommender. networkAnalyzerGkeIpAddressInsights.*

recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. update

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine Host Service Agent User

( roles/ container.hostServiceAgentUser )

Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.

compute.firewalls.get

compute.networks.get

container.hostServiceAgent.use

dns. networks. bindDNSResponsePolicy

dns. networks. bindPrivateDNSPolicy

dns. networks. bindPrivateDNSZone

dns.responsePolicies.*

dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update

dns.responsePolicyRules.*

dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update

[Deprecated] Kubernetes Engine Node Service Agent

( roles/ container.nodeServiceAgent )

Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls.

autoscaling.sites.writeMetrics

logging.logEntries.create

monitoring. metricDescriptors. create

monitoring. metricDescriptors. list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

storage.objects.get

storage.objects.list

Kubernetes Engine Service Agent

( roles/ container.serviceAgent )

Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.

autoscaling. sites. readRecommendations

autoscaling.sites.writeMetrics

autoscaling.sites.writeState

backupdr. backupPlanAssociations. createForComputeDisk

backupdr. backupPlanAssociations. createForComputeInstance

backupdr. backupPlanAssociations. deleteForComputeDisk

backupdr. backupPlanAssociations. deleteForComputeInstance

backupdr. backupPlanAssociations. fetchForComputeDisk

backupdr. backupPlanAssociations. getForComputeDisk

backupdr. backupPlanAssociations. list

backupdr. backupPlanAssociations. triggerBackupForComputeDisk

backupdr. backupPlanAssociations. triggerBackupForComputeInstance

backupdr. backupPlanAssociations. updateForComputeDisk

backupdr. backupPlanAssociations. updateForComputeInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr. backupPlans. useForComputeDisk

backupdr. backupPlans. useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.locations.list

backupdr.operations.get

backupdr.operations.list

backupdr. serviceConfig. initialize

bigquery.datasets.create

bigquery.datasets.get

bigquery.tables.create

bigquery.tables.get

bigquery.tables.update

bigquery.tables.updateData

binaryauthorization. policy. evaluatePolicy

certificatemanager. certissuanceconfigs. create

certificatemanager. certissuanceconfigs. delete

certificatemanager. certissuanceconfigs. get

certificatemanager. certissuanceconfigs. list

certificatemanager. certissuanceconfigs. listEffectiveTags

certificatemanager. certissuanceconfigs. listTagBindings

certificatemanager. certissuanceconfigs. update

certificatemanager. certissuanceconfigs. use

certificatemanager. certmapentries. create

certificatemanager. certmapentries. delete

certificatemanager. certmapentries. get

certificatemanager. certmapentries. list

certificatemanager. certmapentries. listEffectiveTags

certificatemanager. certmapentries. listTagBindings

certificatemanager. certmapentries. update

certificatemanager. certmaps. create

certificatemanager. certmaps. delete

certificatemanager. certmaps. get

certificatemanager. certmaps. list

certificatemanager. certmaps. listEffectiveTags

certificatemanager. certmaps. listTagBindings

certificatemanager. certmaps. update

certificatemanager. certmaps. use

certificatemanager. certs. create

certificatemanager. certs. delete

certificatemanager.certs.get

certificatemanager.certs.list

certificatemanager. certs. listEffectiveTags

certificatemanager. certs. listTagBindings

certificatemanager. certs. update

certificatemanager.certs.use

certificatemanager. dnsauthorizations. create

certificatemanager. dnsauthorizations. delete

certificatemanager. dnsauthorizations. get

certificatemanager. dnsauthorizations. list

certificatemanager. dnsauthorizations. listEffectiveTags

certificatemanager. dnsauthorizations. listTagBindings

certificatemanager. dnsauthorizations. update

certificatemanager. dnsauthorizations. use

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.*

compute.addresses.create
compute. addresses. createInternal
compute. addresses. createTagBinding
compute.addresses.delete
compute. addresses. deleteInternal
compute. addresses. deleteTagBinding
compute.addresses.get
compute.addresses.list
compute. addresses. listEffectiveTags
compute. addresses. listTagBindings
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.backendBuckets.*

compute. backendBuckets. addSignedUrlKey
compute.backendBuckets.create
compute. backendBuckets. createTagBinding
compute.backendBuckets.delete
compute. backendBuckets. deleteSignedUrlKey
compute. backendBuckets. deleteTagBinding
compute.backendBuckets.get
compute. backendBuckets. getIamPolicy
compute.backendBuckets.list
compute. backendBuckets. listEffectiveTags
compute. backendBuckets. listTagBindings
compute. backendBuckets. setIamPolicy
compute. backendBuckets. setSecurityPolicy
compute.backendBuckets.update
compute.backendBuckets.use

compute.backendServices.*

compute. backendServices. addSignedUrlKey
compute.backendServices.create
compute. backendServices. createTagBinding
compute.backendServices.delete
compute. backendServices. deleteSignedUrlKey
compute. backendServices. deleteTagBinding
compute.backendServices.get
compute. backendServices. getIamPolicy
compute.backendServices.list
compute. backendServices. listEffectiveTags
compute. backendServices. listTagBindings
compute. backendServices. setIamPolicy
compute. backendServices. setSecurityPolicy
compute.backendServices.update
compute.backendServices.use

compute.crossSiteNetworks.*

compute. crossSiteNetworks. create
compute. crossSiteNetworks. delete
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute. crossSiteNetworks. update

compute.diskSettings.*

compute.diskSettings.get
compute.diskSettings.update

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.*

compute. disks. addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute. disks. listEffectiveTags
compute.disks.listTagBindings
compute. disks. removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute. disks. startAsyncReplication
compute. disks. stopAsyncReplication
compute. disks. stopGroupAsyncReplication
compute.disks.update
compute.disks.updateKmsKey
compute.disks.use
compute.disks.useReadOnly

compute.externalVpnGateways.*

compute. externalVpnGateways. create
compute. externalVpnGateways. createTagBinding
compute. externalVpnGateways. delete
compute. externalVpnGateways. deleteTagBinding
compute. externalVpnGateways. get
compute. externalVpnGateways. list
compute. externalVpnGateways. listEffectiveTags
compute. externalVpnGateways. listTagBindings
compute. externalVpnGateways. setLabels
compute. externalVpnGateways. use

compute.firewallPolicies.*

compute. firewallPolicies. cloneRules
compute. firewallPolicies. copyRules
compute. firewallPolicies. create
compute. firewallPolicies. createTagBinding
compute. firewallPolicies. delete
compute. firewallPolicies. deleteTagBinding
compute.firewallPolicies.get
compute. firewallPolicies. getIamPolicy
compute.firewallPolicies.list
compute. firewallPolicies. listEffectiveTags
compute. firewallPolicies. listTagBindings
compute.firewallPolicies.move
compute. firewallPolicies. setIamPolicy
compute. firewallPolicies. update
compute.firewallPolicies.use

compute.firewalls.*

compute.firewalls.create
compute. firewalls. createTagBinding
compute.firewalls.delete
compute. firewalls. deleteTagBinding
compute.firewalls.get
compute.firewalls.list
compute. firewalls. listEffectiveTags
compute. firewalls. listTagBindings
compute.firewalls.update

compute.forwardingRules.*

compute.forwardingRules.create
compute. forwardingRules. createTagBinding
compute.forwardingRules.delete
compute. forwardingRules. deleteTagBinding
compute.forwardingRules.get
compute.forwardingRules.list
compute. forwardingRules. listEffectiveTags
compute. forwardingRules. listTagBindings
compute. forwardingRules. pscCreate
compute. forwardingRules. pscDelete
compute. forwardingRules. pscSetLabels
compute. forwardingRules. pscUpdate
compute. forwardingRules. setLabels
compute. forwardingRules. setTarget
compute.forwardingRules.update
compute.forwardingRules.use

compute. futureReservations. list

compute.globalAddresses.*

compute.globalAddresses.create
compute. globalAddresses. createInternal
compute. globalAddresses. createTagBinding
compute.globalAddresses.delete
compute. globalAddresses. deleteInternal
compute. globalAddresses. deleteTagBinding
compute.globalAddresses.get
compute.globalAddresses.list
compute. globalAddresses. listEffectiveTags
compute. globalAddresses. listTagBindings
compute. globalAddresses. setLabels
compute.globalAddresses.use

compute. globalForwardingRules.*

compute. globalForwardingRules. create
compute. globalForwardingRules. createTagBinding
compute. globalForwardingRules. delete
compute. globalForwardingRules. deleteTagBinding
compute. globalForwardingRules. get
compute. globalForwardingRules. list
compute. globalForwardingRules. listEffectiveTags
compute. globalForwardingRules. listTagBindings
compute. globalForwardingRules. pscCreate
compute. globalForwardingRules. pscDelete
compute. globalForwardingRules. pscSetLabels
compute. globalForwardingRules. pscUpdate
compute. globalForwardingRules. setLabels
compute. globalForwardingRules. setTarget
compute. globalForwardingRules. update

compute. globalNetworkEndpointGroups.*

compute. globalNetworkEndpointGroups. attachNetworkEndpoints
compute. globalNetworkEndpointGroups. create
compute. globalNetworkEndpointGroups. createTagBinding
compute. globalNetworkEndpointGroups. delete
compute. globalNetworkEndpointGroups. deleteTagBinding
compute. globalNetworkEndpointGroups. detachNetworkEndpoints
compute. globalNetworkEndpointGroups. get
compute. globalNetworkEndpointGroups. list
compute. globalNetworkEndpointGroups. listEffectiveTags
compute. globalNetworkEndpointGroups. listTagBindings
compute. globalNetworkEndpointGroups. use

compute.globalOperations.get

compute.globalOperations.list

compute. globalPublicDelegatedPrefixes. delete

compute. globalPublicDelegatedPrefixes. get

compute. globalPublicDelegatedPrefixes. list

compute. globalPublicDelegatedPrefixes. updatePolicy

compute.healthChecks.*

compute.healthChecks.create
compute. healthChecks. createTagBinding
compute.healthChecks.delete
compute. healthChecks. deleteTagBinding
compute.healthChecks.get
compute.healthChecks.list
compute. healthChecks. listEffectiveTags
compute. healthChecks. listTagBindings
compute.healthChecks.update
compute.healthChecks.use
compute. healthChecks. useReadOnly

compute.httpHealthChecks.*

compute. httpHealthChecks. create
compute. httpHealthChecks. createTagBinding
compute. httpHealthChecks. delete
compute. httpHealthChecks. deleteTagBinding
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute. httpHealthChecks. listEffectiveTags
compute. httpHealthChecks. listTagBindings
compute. httpHealthChecks. update
compute.httpHealthChecks.use
compute. httpHealthChecks. useReadOnly

compute.httpsHealthChecks.*

compute. httpsHealthChecks. create
compute. httpsHealthChecks. createTagBinding
compute. httpsHealthChecks. delete
compute. httpsHealthChecks. deleteTagBinding
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute. httpsHealthChecks. listEffectiveTags
compute. httpsHealthChecks. listTagBindings
compute. httpsHealthChecks. update
compute.httpsHealthChecks.use
compute. httpsHealthChecks. useReadOnly

compute.images.*

compute.images.create
compute. images. createTagBinding
compute.images.delete
compute. images. deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute. images. listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly

compute. instanceGroupManagers.*

compute. instanceGroupManagers. create
compute. instanceGroupManagers. createTagBinding
compute. instanceGroupManagers. delete
compute. instanceGroupManagers. deleteTagBinding
compute. instanceGroupManagers. get
compute. instanceGroupManagers. list
compute. instanceGroupManagers. listEffectiveTags
compute. instanceGroupManagers. listTagBindings
compute. instanceGroupManagers. update
compute. instanceGroupManagers. use

compute.instanceGroups.*

compute.instanceGroups.create
compute. instanceGroups. createTagBinding
compute.instanceGroups.delete
compute. instanceGroups. deleteTagBinding
compute.instanceGroups.get
compute.instanceGroups.list
compute. instanceGroups. listEffectiveTags
compute. instanceGroups. listTagBindings
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceSettings.*

compute.instanceSettings.get
compute. instanceSettings. update

compute.instanceTemplates.*

compute. instanceTemplates. create
compute. instanceTemplates. delete
compute.instanceTemplates.get
compute. instanceTemplates. getIamPolicy
compute.instanceTemplates.list
compute. instanceTemplates. setIamPolicy
compute. instanceTemplates. useReadOnly

compute.instances.*

compute. instances. addAccessConfig
compute. instances. addNetworkInterface
compute. instances. addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute. instances. createTagBinding
compute.instances.delete
compute. instances. deleteAccessConfig
compute. instances. deleteNetworkInterface
compute. instances. deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute. instances. getEffectiveFirewalls
compute. instances. getGuestAttributes
compute.instances.getIamPolicy
compute. instances. getScreenshot
compute. instances. getSerialPortOutput
compute. instances. getShieldedInstanceIdentity
compute. instances. getShieldedVmIdentity
compute.instances.list
compute. instances. listEffectiveTags
compute. instances. listReferrers
compute. instances. listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute. instances. pscInterfaceCreate
compute. instances. removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute. instances. sendDiagnosticInterrupt
compute. instances. setDeletionProtection
compute. instances. setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute. instances. setMachineResources
compute. instances. setMachineType
compute.instances.setMetadata
compute. instances. setMinCpuPlatform
compute.instances.setName
compute. instances. setScheduling
compute. instances. setSecurityPolicy
compute. instances. setServiceAccount
compute. instances. setShieldedInstanceIntegrityPolicy
compute. instances. setShieldedVmIntegrityPolicy
compute.instances.setTags
compute. instances. simulateMaintenanceEvent
compute.instances.start
compute. instances. startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute. instances. updateAccessConfig
compute. instances. updateDisplayDevice
compute. instances. updateNetworkInterface
compute. instances. updateSecurity
compute. instances. updateShieldedInstanceConfig
compute. instances. updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.instantSnapshots.*

compute. instantSnapshots. create
compute. instantSnapshots. delete
compute. instantSnapshots. export
compute.instantSnapshots.get
compute. instantSnapshots. getIamPolicy
compute.instantSnapshots.list
compute. instantSnapshots. setIamPolicy
compute. instantSnapshots. setLabels
compute. instantSnapshots. useReadOnly

compute. interconnectAttachmentGroups.*

compute. interconnectAttachmentGroups. create
compute. interconnectAttachmentGroups. delete
compute. interconnectAttachmentGroups. get
compute. interconnectAttachmentGroups. list
compute. interconnectAttachmentGroups. patch

compute. interconnectAttachments.*

compute. interconnectAttachments. create
compute. interconnectAttachments. createTagBinding
compute. interconnectAttachments. delete
compute. interconnectAttachments. deleteTagBinding
compute. interconnectAttachments. get
compute. interconnectAttachments. list
compute. interconnectAttachments. listEffectiveTags
compute. interconnectAttachments. listTagBindings
compute. interconnectAttachments. setLabels
compute. interconnectAttachments. update
compute. interconnectAttachments. use

compute.interconnectGroups.*

compute. interconnectGroups. create
compute. interconnectGroups. delete
compute.interconnectGroups.get
compute. interconnectGroups. list
compute. interconnectGroups. patch

compute. interconnectLocations.*

compute. interconnectLocations. get
compute. interconnectLocations. list

compute. interconnectRemoteLocations.*

compute. interconnectRemoteLocations. get
compute. interconnectRemoteLocations. list

compute.interconnects.*

compute.interconnects.create
compute. interconnects. createTagBinding
compute.interconnects.delete
compute. interconnects. deleteTagBinding
compute.interconnects.get
compute. interconnects. getMacsecConfig
compute.interconnects.list
compute. interconnects. listEffectiveTags
compute. interconnects. listTagBindings
compute. interconnects. setLabels
compute.interconnects.update
compute.interconnects.use

compute.licenseCodes.*

compute.licenseCodes.get
compute. licenseCodes. getIamPolicy
compute.licenseCodes.list
compute. licenseCodes. setIamPolicy

compute.licenses.*

compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.licenses.update

compute.machineImages.*

compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute. machineImages. getIamPolicy
compute.machineImages.list
compute. machineImages. setIamPolicy
compute. machineImages. setLabels
compute. machineImages. useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.multiMig.*

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

compute.networkAttachments.*

compute. networkAttachments. create
compute. networkAttachments. createTagBinding
compute. networkAttachments. delete
compute. networkAttachments. deleteTagBinding
compute.networkAttachments.get
compute. networkAttachments. getIamPolicy
compute. networkAttachments. list
compute. networkAttachments. listEffectiveTags
compute. networkAttachments. listTagBindings
compute. networkAttachments. setIamPolicy
compute. networkAttachments. update
compute.networkAttachments.use

compute. networkEndpointGroups.*

compute. networkEndpointGroups. attachNetworkEndpoints
compute. networkEndpointGroups. create
compute. networkEndpointGroups. createTagBinding
compute. networkEndpointGroups. delete
compute. networkEndpointGroups. deleteTagBinding
compute. networkEndpointGroups. detachNetworkEndpoints
compute. networkEndpointGroups. get
compute. networkEndpointGroups. list
compute. networkEndpointGroups. listEffectiveTags
compute. networkEndpointGroups. listTagBindings
compute. networkEndpointGroups. use

compute.networkProfiles.*

compute.networkProfiles.get
compute.networkProfiles.list

compute.networks.*

compute.networks.access
compute.networks.addPeering
compute.networks.create
compute. networks. createTagBinding
compute.networks.delete
compute. networks. deleteTagBinding
compute.networks.get
compute. networks. getEffectiveFirewalls
compute. networks. getRegionEffectiveFirewalls
compute.networks.list
compute. networks. listEffectiveTags
compute. networks. listPeeringRoutes
compute. networks. listTagBindings
compute.networks.mirror
compute.networks.removePeering
compute. networks. setFirewallPolicy
compute. networks. switchToCustomMode
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp

compute.nodeGroups.get

compute.packetMirrorings.*

compute. packetMirrorings. create
compute. packetMirrorings. createTagBinding
compute. packetMirrorings. delete
compute. packetMirrorings. deleteTagBinding
compute.packetMirrorings.get
compute.packetMirrorings.list
compute. packetMirrorings. listEffectiveTags
compute. packetMirrorings. listTagBindings
compute. packetMirrorings. update

compute.projects.get

compute. projects. setCommonInstanceMetadata

compute. publicDelegatedPrefixes. delete

compute. publicDelegatedPrefixes. get

compute. publicDelegatedPrefixes. list

compute. publicDelegatedPrefixes. listEffectiveTags

compute. publicDelegatedPrefixes. listTagBindings

compute. publicDelegatedPrefixes. update

compute. publicDelegatedPrefixes. updatePolicy

compute.regionBackendBuckets.*

compute. regionBackendBuckets. create
compute. regionBackendBuckets. createTagBinding
compute. regionBackendBuckets. delete
compute. regionBackendBuckets. deleteTagBinding
compute. regionBackendBuckets. get
compute. regionBackendBuckets. getIamPolicy
compute. regionBackendBuckets. list
compute. regionBackendBuckets. listEffectiveTags
compute. regionBackendBuckets. listTagBindings
compute. regionBackendBuckets. setIamPolicy
compute. regionBackendBuckets. update
compute. regionBackendBuckets. use

compute. regionBackendServices.*

compute. regionBackendServices. create
compute. regionBackendServices. createTagBinding
compute. regionBackendServices. delete
compute. regionBackendServices. deleteTagBinding
compute. regionBackendServices. get
compute. regionBackendServices. getIamPolicy
compute. regionBackendServices. list
compute. regionBackendServices. listEffectiveTags
compute. regionBackendServices. listTagBindings
compute. regionBackendServices. setIamPolicy
compute. regionBackendServices. setSecurityPolicy
compute. regionBackendServices. update
compute. regionBackendServices. use

compute. regionCompositeHealthChecks.*

compute. regionCompositeHealthChecks. create
compute. regionCompositeHealthChecks. delete
compute. regionCompositeHealthChecks. get
compute. regionCompositeHealthChecks. list
compute. regionCompositeHealthChecks. update

compute. regionFirewallPolicies.*

compute. regionFirewallPolicies. cloneRules
compute. regionFirewallPolicies. create
compute. regionFirewallPolicies. createTagBinding
compute. regionFirewallPolicies. delete
compute. regionFirewallPolicies. deleteTagBinding
compute. regionFirewallPolicies. get
compute. regionFirewallPolicies. getIamPolicy
compute. regionFirewallPolicies. list
compute. regionFirewallPolicies. listEffectiveTags
compute. regionFirewallPolicies. listTagBindings
compute. regionFirewallPolicies. setIamPolicy
compute. regionFirewallPolicies. update
compute. regionFirewallPolicies. use

compute. regionHealthAggregationPolicies.*

compute. regionHealthAggregationPolicies. create
compute. regionHealthAggregationPolicies. delete
compute. regionHealthAggregationPolicies. get
compute. regionHealthAggregationPolicies. list
compute. regionHealthAggregationPolicies. update

compute. regionHealthCheckServices.*

compute. regionHealthCheckServices. create
compute. regionHealthCheckServices. delete
compute. regionHealthCheckServices. get
compute. regionHealthCheckServices. list
compute. regionHealthCheckServices. update
compute. regionHealthCheckServices. use

compute.regionHealthChecks.*

compute. regionHealthChecks. create
compute. regionHealthChecks. createTagBinding
compute. regionHealthChecks. delete
compute. regionHealthChecks. deleteTagBinding
compute.regionHealthChecks.get
compute. regionHealthChecks. list
compute. regionHealthChecks. listEffectiveTags
compute. regionHealthChecks. listTagBindings
compute. regionHealthChecks. update
compute.regionHealthChecks.use
compute. regionHealthChecks. useReadOnly

compute.regionHealthSources.*

compute. regionHealthSources. create
compute. regionHealthSources. delete
compute. regionHealthSources. get
compute. regionHealthSources. list
compute. regionHealthSources. update

compute. regionNetworkEndpointGroups.*

compute. regionNetworkEndpointGroups. attachNetworkEndpoints
compute. regionNetworkEndpointGroups. create
compute. regionNetworkEndpointGroups. createTagBinding
compute. regionNetworkEndpointGroups. delete
compute. regionNetworkEndpointGroups. deleteTagBinding
compute. regionNetworkEndpointGroups. detachNetworkEndpoints
compute. regionNetworkEndpointGroups. get
compute. regionNetworkEndpointGroups. list
compute. regionNetworkEndpointGroups. listEffectiveTags
compute. regionNetworkEndpointGroups. listTagBindings
compute. regionNetworkEndpointGroups. use

compute. regionNotificationEndpoints.*

compute. regionNotificationEndpoints. create
compute. regionNotificationEndpoints. delete
compute. regionNotificationEndpoints. get
compute. regionNotificationEndpoints. list
compute. regionNotificationEndpoints. update
compute. regionNotificationEndpoints. use

compute.regionOperations.get

compute.regionOperations.list

compute. regionSecurityPolicies.*

compute. regionSecurityPolicies. create
compute. regionSecurityPolicies. createTagBinding
compute. regionSecurityPolicies. delete
compute. regionSecurityPolicies. deleteTagBinding
compute. regionSecurityPolicies. get
compute. regionSecurityPolicies. list
compute. regionSecurityPolicies. listEffectiveTags
compute. regionSecurityPolicies. listTagBindings
compute. regionSecurityPolicies. update
compute. regionSecurityPolicies. use

compute. regionSslCertificates.*

compute. regionSslCertificates. create
compute. regionSslCertificates. createTagBinding
compute. regionSslCertificates. delete
compute. regionSslCertificates. deleteTagBinding
compute. regionSslCertificates. get
compute. regionSslCertificates. list
compute. regionSslCertificates. listEffectiveTags
compute. regionSslCertificates. listTagBindings

compute.regionSslPolicies.*

compute. regionSslPolicies. create
compute. regionSslPolicies. createTagBinding
compute. regionSslPolicies. delete
compute. regionSslPolicies. deleteTagBinding
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute. regionSslPolicies. listAvailableFeatures
compute. regionSslPolicies. listEffectiveTags
compute. regionSslPolicies. listTagBindings
compute. regionSslPolicies. update
compute.regionSslPolicies.use

compute. regionTargetHttpProxies.*

compute. regionTargetHttpProxies. create
compute. regionTargetHttpProxies. createTagBinding
compute. regionTargetHttpProxies. delete
compute. regionTargetHttpProxies. deleteTagBinding
compute. regionTargetHttpProxies. get
compute. regionTargetHttpProxies. list
compute. regionTargetHttpProxies. listEffectiveTags
compute. regionTargetHttpProxies. listTagBindings
compute. regionTargetHttpProxies. setUrlMap
compute. regionTargetHttpProxies. use

compute. regionTargetHttpsProxies.*

compute. regionTargetHttpsProxies. create
compute. regionTargetHttpsProxies. createTagBinding
compute. regionTargetHttpsProxies. delete
compute. regionTargetHttpsProxies. deleteTagBinding
compute. regionTargetHttpsProxies. get
compute. regionTargetHttpsProxies. list
compute. regionTargetHttpsProxies. listEffectiveTags
compute. regionTargetHttpsProxies. listTagBindings
compute. regionTargetHttpsProxies. setSslCertificates
compute. regionTargetHttpsProxies. setUrlMap
compute. regionTargetHttpsProxies. update
compute. regionTargetHttpsProxies. use

compute. regionTargetTcpProxies.*

compute. regionTargetTcpProxies. create
compute. regionTargetTcpProxies. createTagBinding
compute. regionTargetTcpProxies. delete
compute. regionTargetTcpProxies. deleteTagBinding
compute. regionTargetTcpProxies. get
compute. regionTargetTcpProxies. list
compute. regionTargetTcpProxies. listEffectiveTags
compute. regionTargetTcpProxies. listTagBindings
compute. regionTargetTcpProxies. use

compute.regionUrlMaps.*

compute.regionUrlMaps.create
compute. regionUrlMaps. createTagBinding
compute.regionUrlMaps.delete
compute. regionUrlMaps. deleteTagBinding
compute.regionUrlMaps.get
compute. regionUrlMaps. invalidateCache
compute.regionUrlMaps.list
compute. regionUrlMaps. listEffectiveTags
compute. regionUrlMaps. listTagBindings
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservationBlocks.get

compute.reservationBlocks.list

compute.reservationSubBlocks.*

compute. reservationSubBlocks. get
compute. reservationSubBlocks. list
compute. reservationSubBlocks. performMaintenance
compute. reservationSubBlocks. reportFaulty

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute. resourcePolicies. create
compute. resourcePolicies. delete
compute.resourcePolicies.get
compute. resourcePolicies. getIamPolicy
compute.resourcePolicies.list
compute. resourcePolicies. setIamPolicy
compute. resourcePolicies. update
compute.resourcePolicies.use
compute. resourcePolicies. useReadOnly

compute.routers.*

compute.routers.create
compute. routers. createTagBinding
compute.routers.delete
compute. routers. deleteRoutePolicy
compute. routers. deleteTagBinding
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute. routers. listEffectiveTags
compute. routers. listRoutePolicies
compute. routers. listTagBindings
compute.routers.update
compute. routers. updateRoutePolicy
compute.routers.use

compute.routes.*

compute.routes.create
compute. routes. createTagBinding
compute.routes.delete
compute. routes. deleteTagBinding
compute.routes.get
compute.routes.list
compute. routes. listEffectiveTags
compute.routes.listTagBindings

compute.securityPolicies.*

compute. securityPolicies. addAssociation
compute. securityPolicies. copyRules
compute. securityPolicies. create
compute. securityPolicies. createTagBinding
compute. securityPolicies. delete
compute. securityPolicies. deleteTagBinding
compute.securityPolicies.get
compute.securityPolicies.list
compute. securityPolicies. listEffectiveTags
compute. securityPolicies. listTagBindings
compute.securityPolicies.move
compute. securityPolicies. removeAssociation
compute. securityPolicies. setLabels
compute. securityPolicies. update
compute.securityPolicies.use

compute.serviceAttachments.*

compute. serviceAttachments. create
compute. serviceAttachments. createTagBinding
compute. serviceAttachments. delete
compute. serviceAttachments. deleteTagBinding
compute.serviceAttachments.get
compute. serviceAttachments. getIamPolicy
compute. serviceAttachments. list
compute. serviceAttachments. listEffectiveTags
compute. serviceAttachments. listTagBindings
compute. serviceAttachments. setIamPolicy
compute. serviceAttachments. update
compute.serviceAttachments.use

compute.snapshots.*

compute.snapshots.create
compute. snapshots. createTagBinding
compute.snapshots.delete
compute. snapshots. deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute. snapshots. listEffectiveTags
compute. snapshots. listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.updateKmsKey
compute.snapshots.useReadOnly

compute.spotAssistants.get

compute.sslCertificates.*

compute.sslCertificates.create
compute. sslCertificates. createTagBinding
compute.sslCertificates.delete
compute. sslCertificates. deleteTagBinding
compute.sslCertificates.get
compute.sslCertificates.list
compute. sslCertificates. listEffectiveTags
compute. sslCertificates. listTagBindings

compute.sslPolicies.*

compute.sslPolicies.create
compute. sslPolicies. createTagBinding
compute.sslPolicies.delete
compute. sslPolicies. deleteTagBinding
compute.sslPolicies.get
compute.sslPolicies.list
compute. sslPolicies. listAvailableFeatures
compute. sslPolicies. listEffectiveTags
compute. sslPolicies. listTagBindings
compute.sslPolicies.update
compute.sslPolicies.use

compute.storagePools.*

compute.storagePools.create
compute.storagePools.delete
compute.storagePools.get
compute. storagePools. getIamPolicy
compute.storagePools.list
compute. storagePools. setIamPolicy
compute.storagePools.update
compute.storagePools.use

compute.subnetworks.*

compute.subnetworks.create
compute. subnetworks. createTagBinding
compute.subnetworks.delete
compute. subnetworks. deleteTagBinding
compute. subnetworks. expandIpCidrRange
compute.subnetworks.get
compute. subnetworks. getIamPolicy
compute.subnetworks.list
compute. subnetworks. listEffectiveTags
compute. subnetworks. listTagBindings
compute.subnetworks.mirror
compute. subnetworks. setIamPolicy
compute. subnetworks. setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute. subnetworks. useExternalIp
compute. subnetworks. usePeerMigration

compute.targetGrpcProxies.*

compute. targetGrpcProxies. create
compute. targetGrpcProxies. createTagBinding
compute. targetGrpcProxies. delete
compute. targetGrpcProxies. deleteTagBinding
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute. targetGrpcProxies. listEffectiveTags
compute. targetGrpcProxies. listTagBindings
compute. targetGrpcProxies. update
compute.targetGrpcProxies.use

compute.targetHttpProxies.*

compute. targetHttpProxies. create
compute. targetHttpProxies. createTagBinding
compute. targetHttpProxies. delete
compute. targetHttpProxies. deleteTagBinding
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute. targetHttpProxies. listEffectiveTags
compute. targetHttpProxies. listTagBindings
compute. targetHttpProxies. setUrlMap
compute. targetHttpProxies. update
compute.targetHttpProxies.use

compute.targetHttpsProxies.*

compute. targetHttpsProxies. create
compute. targetHttpsProxies. createTagBinding
compute. targetHttpsProxies. delete
compute. targetHttpsProxies. deleteTagBinding
compute.targetHttpsProxies.get
compute. targetHttpsProxies. list
compute. targetHttpsProxies. listEffectiveTags
compute. targetHttpsProxies. listTagBindings
compute. targetHttpsProxies. setCertificateMap
compute. targetHttpsProxies. setQuicOverride
compute. targetHttpsProxies. setSslCertificates
compute. targetHttpsProxies. setSslPolicy
compute. targetHttpsProxies. setUrlMap
compute. targetHttpsProxies. update
compute.targetHttpsProxies.use

compute.targetInstances.*

compute.targetInstances.create
compute. targetInstances. createTagBinding
compute.targetInstances.delete
compute. targetInstances. deleteTagBinding
compute.targetInstances.get
compute.targetInstances.list
compute. targetInstances. listEffectiveTags
compute. targetInstances. listTagBindings
compute. targetInstances. setSecurityPolicy
compute.targetInstances.use

compute.targetPools.*

compute. targetPools. addHealthCheck
compute. targetPools. addInstance
compute.targetPools.create
compute. targetPools. createTagBinding
compute.targetPools.delete
compute. targetPools. deleteTagBinding
compute.targetPools.get
compute.targetPools.list
compute. targetPools. listEffectiveTags
compute. targetPools. listTagBindings
compute. targetPools. removeHealthCheck
compute. targetPools. removeInstance
compute. targetPools. setSecurityPolicy
compute.targetPools.update
compute.targetPools.use

compute.targetSslProxies.*

compute. targetSslProxies. create
compute. targetSslProxies. createTagBinding
compute. targetSslProxies. delete
compute. targetSslProxies. deleteTagBinding
compute.targetSslProxies.get
compute.targetSslProxies.list
compute. targetSslProxies. listEffectiveTags
compute. targetSslProxies. listTagBindings
compute. targetSslProxies. setBackendService
compute. targetSslProxies. setCertificateMap
compute. targetSslProxies. setProxyHeader
compute. targetSslProxies. setSslCertificates
compute. targetSslProxies. setSslPolicy
compute. targetSslProxies. update
compute.targetSslProxies.use

compute.targetTcpProxies.*

compute. targetTcpProxies. create
compute. targetTcpProxies. createTagBinding
compute. targetTcpProxies. delete
compute. targetTcpProxies. deleteTagBinding
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute. targetTcpProxies. listEffectiveTags
compute. targetTcpProxies. listTagBindings
compute. targetTcpProxies. update
compute.targetTcpProxies.use

compute.targetVpnGateways.*

compute. targetVpnGateways. create
compute. targetVpnGateways. createTagBinding
compute. targetVpnGateways. delete
compute. targetVpnGateways. deleteTagBinding
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute. targetVpnGateways. listEffectiveTags
compute. targetVpnGateways. listTagBindings
compute. targetVpnGateways. setLabels
compute.targetVpnGateways.use

compute.urlMaps.*

compute.urlMaps.create
compute. urlMaps. createTagBinding
compute.urlMaps.delete
compute. urlMaps. deleteTagBinding
compute.urlMaps.get
compute. urlMaps. invalidateCache
compute.urlMaps.list
compute. urlMaps. listEffectiveTags
compute. urlMaps. listTagBindings
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate

compute.vpnGateways.*

compute.vpnGateways.create
compute. vpnGateways. createTagBinding
compute.vpnGateways.delete
compute. vpnGateways. deleteTagBinding
compute.vpnGateways.get
compute.vpnGateways.list
compute. vpnGateways. listEffectiveTags
compute. vpnGateways. listTagBindings
compute.vpnGateways.setLabels
compute.vpnGateways.use

compute.vpnTunnels.*

compute.vpnTunnels.create
compute. vpnTunnels. createTagBinding
compute.vpnTunnels.delete
compute. vpnTunnels. deleteTagBinding
compute.vpnTunnels.get
compute.vpnTunnels.list
compute. vpnTunnels. listEffectiveTags
compute. vpnTunnels. listTagBindings
compute.vpnTunnels.setLabels

compute.wireGroups.*

compute.wireGroups.create
compute.wireGroups.delete
compute.wireGroups.get
compute.wireGroups.list
compute.wireGroups.update

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

container.*

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container. apiServices. getStatus
container.apiServices.list
container.apiServices.update
container. apiServices. updateStatus
container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update
container. backendConfigs. create
container. backendConfigs. delete
container.backendConfigs.get
container.backendConfigs.list
container. backendConfigs. update
container.bindings.create
container.bindings.delete
container.bindings.get
container.bindings.list
container.bindings.update
container. certificateSigningRequests. approve
container. certificateSigningRequests. create
container. certificateSigningRequests. delete
container. certificateSigningRequests. get
container. certificateSigningRequests. getStatus
container. certificateSigningRequests. list
container. certificateSigningRequests. update
container. certificateSigningRequests. updateStatus
container. clusterRoleBindings. create
container. clusterRoleBindings. delete
container. clusterRoleBindings. get
container. clusterRoleBindings. list
container. clusterRoleBindings. update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container. clusterRoles. escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.connect
container.clusters.create
container. clusters. createTagBinding
container.clusters.delete
container. clusters. deleteTagBinding
container.clusters.get
container. clusters. getCredentials
container.clusters.impersonate
container.clusters.list
container. clusters. listEffectiveTags
container. clusters. listTagBindings
container.clusters.update
container. componentStatuses. get
container. componentStatuses. list
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update
container. controllerRevisions. create
container. controllerRevisions. delete
container. controllerRevisions. get
container. controllerRevisions. list
container. controllerRevisions. update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container. cronJobs. updateStatus
container.csiDrivers.create
container.csiDrivers.delete
container.csiDrivers.get
container.csiDrivers.list
container.csiDrivers.update
container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update
container.csiNodes.create
container.csiNodes.delete
container.csiNodes.get
container.csiNodes.list
container.csiNodes.update
container. customResourceDefinitions. create
container. customResourceDefinitions. delete
container. customResourceDefinitions. get
container. customResourceDefinitions. getStatus
container. customResourceDefinitions. list
container. customResourceDefinitions. update
container. customResourceDefinitions. updateStatus
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container. daemonSets. updateStatus
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container. deployments. getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container. deployments. updateScale
container. deployments. updateStatus
container. endpointSlices. create
container. endpointSlices. delete
container.endpointSlices.get
container.endpointSlices.list
container. endpointSlices. update
container.endpoints.create
container.endpoints.delete
container.endpoints.get
container.endpoints.list
container.endpoints.update
container.events.create
container.events.delete
container.events.get
container.events.list
container.events.update
container. frontendConfigs. create
container. frontendConfigs. delete
container.frontendConfigs.get
container.frontendConfigs.list
container. frontendConfigs. update
container. horizontalPodAutoscalers. create
container. horizontalPodAutoscalers. delete
container. horizontalPodAutoscalers. get
container. horizontalPodAutoscalers. getStatus
container. horizontalPodAutoscalers. list
container. horizontalPodAutoscalers. update
container. horizontalPodAutoscalers. updateStatus
container.hostServiceAgent.use
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container. ingresses. updateStatus
container. initializerConfigurations. create
container. initializerConfigurations. delete
container. initializerConfigurations. get
container. initializerConfigurations. list
container. initializerConfigurations. update
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus
container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update
container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update
container. localSubjectAccessReviews. create
container. localSubjectAccessReviews. list
container. managedCertificates. create
container. managedCertificates. delete
container. managedCertificates. get
container. managedCertificates. list
container. managedCertificates. update
container. mutatingWebhookConfigurations. create
container. mutatingWebhookConfigurations. delete
container. mutatingWebhookConfigurations. get
container. mutatingWebhookConfigurations. list
container. mutatingWebhookConfigurations. update
container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container. namespaces. updateStatus
container. networkPolicies. create
container. networkPolicies. delete
container.networkPolicies.get
container.networkPolicies.list
container. networkPolicies. update
container.nodes.create
container.nodes.delete
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.nodes.proxy
container.nodes.update
container.nodes.updateStatus
container.operations.get
container.operations.list
container. persistentVolumeClaims. create
container. persistentVolumeClaims. delete
container. persistentVolumeClaims. get
container. persistentVolumeClaims. getStatus
container. persistentVolumeClaims. list
container. persistentVolumeClaims. update
container. persistentVolumeClaims. updateStatus
container. persistentVolumes. create
container. persistentVolumes. delete
container. persistentVolumes. get
container. persistentVolumes. getStatus
container. persistentVolumes. list
container. persistentVolumes. update
container. persistentVolumes. updateStatus
container.petSets.create
container.petSets.delete
container.petSets.get
container.petSets.list
container.petSets.update
container.petSets.updateStatus
container. podDisruptionBudgets. create
container. podDisruptionBudgets. delete
container. podDisruptionBudgets. get
container. podDisruptionBudgets. getStatus
container. podDisruptionBudgets. list
container. podDisruptionBudgets. update
container. podDisruptionBudgets. updateStatus
container.podPresets.create
container.podPresets.delete
container.podPresets.get
container.podPresets.list
container.podPresets.update
container. podSecurityPolicies. create
container. podSecurityPolicies. delete
container. podSecurityPolicies. get
container. podSecurityPolicies. list
container. podSecurityPolicies. update
container. podSecurityPolicies. use
container.podTemplates.create
container.podTemplates.delete
container.podTemplates.get
container.podTemplates.list
container.podTemplates.update
container.pods.attach
container.pods.create
container.pods.delete
container.pods.evict
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.initialize
container.pods.list
container.pods.portForward
container.pods.proxy
container.pods.update
container.pods.updateStatus
container. priorityClasses. create
container. priorityClasses. delete
container.priorityClasses.get
container.priorityClasses.list
container. priorityClasses. update
container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container. replicaSets. getStatus
container.replicaSets.list
container.replicaSets.update
container. replicaSets. updateScale
container. replicaSets. updateStatus
container. replicationControllers. create
container. replicationControllers. delete
container. replicationControllers. get
container. replicationControllers. getScale
container. replicationControllers. getStatus
container. replicationControllers. list
container. replicationControllers. update
container. replicationControllers. updateScale
container. replicationControllers. updateStatus
container. resourceQuotas. create
container. resourceQuotas. delete
container.resourceQuotas.get
container. resourceQuotas. getStatus
container.resourceQuotas.list
container. resourceQuotas. update
container. resourceQuotas. updateStatus
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.get
container.roles.list
container.roles.update
container. runtimeClasses. create
container. runtimeClasses. delete
container.runtimeClasses.get
container.runtimeClasses.list
container. runtimeClasses. update
container.scheduledJobs.create
container.scheduledJobs.delete
container.scheduledJobs.get
container.scheduledJobs.list
container.scheduledJobs.update
container. scheduledJobs. updateStatus
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update
container. selfSubjectAccessReviews. create
container. selfSubjectAccessReviews. list
container. selfSubjectRulesReviews. create
container. serviceAccounts. create
container. serviceAccounts. createToken
container. serviceAccounts. delete
container.serviceAccounts.get
container.serviceAccounts.list
container. serviceAccounts. update
container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container. services. updateStatus
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container. statefulSets. getScale
container. statefulSets. getStatus
container.statefulSets.list
container.statefulSets.update
container. statefulSets. updateScale
container. statefulSets. updateStatus
container. storageClasses. create
container. storageClasses. delete
container.storageClasses.get
container.storageClasses.list
container. storageClasses. update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container. storageStates. getStatus
container.storageStates.list
container.storageStates.update
container. storageStates. updateStatus
container. storageVersionMigrations. create
container. storageVersionMigrations. delete
container. storageVersionMigrations. get
container. storageVersionMigrations. getStatus
container. storageVersionMigrations. list
container. storageVersionMigrations. update
container. storageVersionMigrations. updateStatus
container. subjectAccessReviews. create
container. subjectAccessReviews. list
container. thirdPartyObjects. create
container. thirdPartyObjects. delete
container. thirdPartyObjects. get
container. thirdPartyObjects. list
container. thirdPartyObjects. update
container. thirdPartyResources. create
container. thirdPartyResources. delete
container. thirdPartyResources. get
container. thirdPartyResources. list
container. thirdPartyResources. update
container.tokenReviews.create
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container. validatingWebhookConfigurations. create
container. validatingWebhookConfigurations. delete
container. validatingWebhookConfigurations. get
container. validatingWebhookConfigurations. list
container. validatingWebhookConfigurations. update
container. volumeAttachments. create
container. volumeAttachments. delete
container. volumeAttachments. get
container. volumeAttachments. getStatus
container. volumeAttachments. list
container. volumeAttachments. update
container. volumeAttachments. updateStatus
container. volumeSnapshotClasses. create
container. volumeSnapshotClasses. delete
container. volumeSnapshotClasses. get
container. volumeSnapshotClasses. list
container. volumeSnapshotClasses. update
container. volumeSnapshotContents. create
container. volumeSnapshotContents. delete
container. volumeSnapshotContents. get
container. volumeSnapshotContents. getStatus
container. volumeSnapshotContents. list
container. volumeSnapshotContents. update
container. volumeSnapshotContents. updateStatus
container. volumeSnapshots. create
container. volumeSnapshots. delete
container.volumeSnapshots.get
container. volumeSnapshots. getStatus
container.volumeSnapshots.list
container. volumeSnapshots. update
container. volumeSnapshots. updateStatus

dns.changes.*

dns.changes.create
dns.changes.get
dns.changes.list

dns.dnsKeys.*

dns.dnsKeys.get
dns.dnsKeys.list

dns.gkeClusters.*

dns. gkeClusters. bindDNSResponsePolicy
dns. gkeClusters. bindPrivateDNSZone

dns.managedZoneOperations.*

dns.managedZoneOperations.get
dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns. networks. bindDNSResponsePolicy
dns. networks. bindPrivateDNSPolicy
dns. networks. bindPrivateDNSZone
dns. networks. targetWithPeeringZone
dns.networks.useHealthSignals

dns.policies.*

dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.resourceRecordSets.update

dns.responsePolicies.*

dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update

dns.responsePolicyRules.*

dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update

file.*

file.backups.create
file.backups.createTagBinding
file.backups.delete
file.backups.deleteTagBinding
file.backups.get
file.backups.list
file.backups.listEffectiveTags
file.backups.listTagBindings
file.backups.update
file.instances.create
file. instances. createTagBinding
file.instances.delete
file. instances. deleteTagBinding
file.instances.get
file.instances.list
file. instances. listEffectiveTags
file.instances.listTagBindings
file.instances.restore
file.instances.revert
file.instances.update
file.locations.get
file.locations.list
file.operations.cancel
file.operations.delete
file.operations.get
file.operations.list
file. snapshots. createTagBinding
file. snapshots. deleteTagBinding
file. snapshots. listEffectiveTags
file.snapshots.listTagBindings

iam.serviceAccounts.actAs

iam.serviceAccounts.get

logging.logEntries.create

lustre.instances.create

lustre.instances.delete

lustre.instances.get

lustre.instances.importData

lustre.instances.list

lustre.instances.update

lustre.locations.*

lustre.locations.get
lustre.locations.list

lustre.operations.*

lustre.operations.cancel
lustre.operations.delete
lustre.operations.get
lustre.operations.list

monitoring. metricDescriptors. create

monitoring. metricDescriptors. get

monitoring. metricDescriptors. list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

networkconnectivity. internalRanges.*

networkconnectivity. internalRanges. create
networkconnectivity. internalRanges. delete
networkconnectivity. internalRanges. get
networkconnectivity. internalRanges. getIamPolicy
networkconnectivity. internalRanges. list
networkconnectivity. internalRanges. setIamPolicy
networkconnectivity. internalRanges. update

networkconnectivity. locations.*

networkconnectivity. locations. get
networkconnectivity. locations. list

networkconnectivity. operations.*

networkconnectivity. operations. cancel
networkconnectivity. operations. delete
networkconnectivity. operations. get
networkconnectivity. operations. list

networkconnectivity. policyBasedRoutes.*

networkconnectivity. policyBasedRoutes. create
networkconnectivity. policyBasedRoutes. delete
networkconnectivity. policyBasedRoutes. get
networkconnectivity. policyBasedRoutes. getIamPolicy
networkconnectivity. policyBasedRoutes. list
networkconnectivity. policyBasedRoutes. setIamPolicy

networkconnectivity. regionalEndpoints.*

networkconnectivity. regionalEndpoints. create
networkconnectivity. regionalEndpoints. delete
networkconnectivity. regionalEndpoints. get
networkconnectivity. regionalEndpoints. list

networkconnectivity. serviceClasses.*

networkconnectivity. serviceClasses. create
networkconnectivity. serviceClasses. delete
networkconnectivity. serviceClasses. get
networkconnectivity. serviceClasses. list
networkconnectivity. serviceClasses. update
networkconnectivity. serviceClasses. use

networkconnectivity. serviceConnectionMaps.*

networkconnectivity. serviceConnectionMaps. create
networkconnectivity. serviceConnectionMaps. delete
networkconnectivity. serviceConnectionMaps. get
networkconnectivity. serviceConnectionMaps. list
networkconnectivity. serviceConnectionMaps. update

networkconnectivity. serviceConnectionPolicies.*

networkconnectivity. serviceConnectionPolicies. create
networkconnectivity. serviceConnectionPolicies. delete
networkconnectivity. serviceConnectionPolicies. get
networkconnectivity. serviceConnectionPolicies. list
networkconnectivity. serviceConnectionPolicies. update

networkmanagement. connectivitytests. get

networkmanagement. connectivitytests. list

networksecurity. addressGroups.*

networksecurity. addressGroups. create
networksecurity. addressGroups. delete
networksecurity. addressGroups. get
networksecurity. addressGroups. getIamPolicy
networksecurity. addressGroups. list
networksecurity. addressGroups. setIamPolicy
networksecurity. addressGroups. update
networksecurity. addressGroups. use

networksecurity. authorizationPolicies.*

networksecurity. authorizationPolicies. create
networksecurity. authorizationPolicies. delete
networksecurity. authorizationPolicies. get
networksecurity. authorizationPolicies. getIamPolicy
networksecurity. authorizationPolicies. list
networksecurity. authorizationPolicies. setIamPolicy
networksecurity. authorizationPolicies. update
networksecurity. authorizationPolicies. use

networksecurity. authzPolicies.*

networksecurity. authzPolicies. create
networksecurity. authzPolicies. delete
networksecurity. authzPolicies. get
networksecurity. authzPolicies. getIamPolicy
networksecurity. authzPolicies. list
networksecurity. authzPolicies. setIamPolicy
networksecurity. authzPolicies. update

networksecurity. backendAuthenticationConfigs.*

networksecurity. backendAuthenticationConfigs. create
networksecurity. backendAuthenticationConfigs. delete
networksecurity. backendAuthenticationConfigs. get
networksecurity. backendAuthenticationConfigs. list
networksecurity. backendAuthenticationConfigs. update
networksecurity. backendAuthenticationConfigs. use

networksecurity. clientTlsPolicies.*

networksecurity. clientTlsPolicies. create
networksecurity. clientTlsPolicies. delete
networksecurity. clientTlsPolicies. get
networksecurity. clientTlsPolicies. getIamPolicy
networksecurity. clientTlsPolicies. list
networksecurity. clientTlsPolicies. setIamPolicy
networksecurity. clientTlsPolicies. update
networksecurity. clientTlsPolicies. use

networksecurity. firewallEndpointAssociations.*

networksecurity. firewallEndpointAssociations. create
networksecurity. firewallEndpointAssociations. delete
networksecurity. firewallEndpointAssociations. get
networksecurity. firewallEndpointAssociations. list
networksecurity. firewallEndpointAssociations. update

networksecurity. firewallEndpoints.*

networksecurity. firewallEndpoints. create
networksecurity. firewallEndpoints. delete
networksecurity. firewallEndpoints. get
networksecurity. firewallEndpoints. list
networksecurity. firewallEndpoints. update
networksecurity. firewallEndpoints. use

networksecurity. gatewaySecurityPolicies.*

networksecurity. gatewaySecurityPolicies. create
networksecurity. gatewaySecurityPolicies. delete
networksecurity. gatewaySecurityPolicies. get
networksecurity. gatewaySecurityPolicies. list
networksecurity. gatewaySecurityPolicies. update
networksecurity. gatewaySecurityPolicies. use

networksecurity. gatewaySecurityPolicyRules.*

networksecurity. gatewaySecurityPolicyRules. create
networksecurity. gatewaySecurityPolicyRules. delete
networksecurity. gatewaySecurityPolicyRules. get
networksecurity. gatewaySecurityPolicyRules. list
networksecurity. gatewaySecurityPolicyRules. update
networksecurity. gatewaySecurityPolicyRules. use

networksecurity.locations.*

networksecurity.locations.get
networksecurity.locations.list

networksecurity.operations.*

networksecurity. operations. cancel
networksecurity. operations. delete
networksecurity.operations.get
networksecurity. operations. list

networksecurity. sacAttachments.*

networksecurity. sacAttachments. create
networksecurity. sacAttachments. delete
networksecurity. sacAttachments. get
networksecurity. sacAttachments. list

networksecurity.sacRealms.*

networksecurity. sacRealms. create
networksecurity. sacRealms. delete
networksecurity.sacRealms.get
networksecurity.sacRealms.list

networksecurity. securityProfileGroups.*

networksecurity. securityProfileGroups. create
networksecurity. securityProfileGroups. delete
networksecurity. securityProfileGroups. get
networksecurity. securityProfileGroups. list
networksecurity. securityProfileGroups. update
networksecurity. securityProfileGroups. use

networksecurity. securityProfiles.*

networksecurity. securityProfiles. create
networksecurity. securityProfiles. delete
networksecurity. securityProfiles. get
networksecurity. securityProfiles. list
networksecurity. securityProfiles. update
networksecurity. securityProfiles. use

networksecurity. serverTlsPolicies.*

networksecurity. serverTlsPolicies. create
networksecurity. serverTlsPolicies. delete
networksecurity. serverTlsPolicies. get
networksecurity. serverTlsPolicies. getIamPolicy
networksecurity. serverTlsPolicies. list
networksecurity. serverTlsPolicies. setIamPolicy
networksecurity. serverTlsPolicies. update
networksecurity. serverTlsPolicies. use

networksecurity. tlsInspectionPolicies.*

networksecurity. tlsInspectionPolicies. create
networksecurity. tlsInspectionPolicies. delete
networksecurity. tlsInspectionPolicies. get
networksecurity. tlsInspectionPolicies. list
networksecurity. tlsInspectionPolicies. update
networksecurity. tlsInspectionPolicies. use

networksecurity.urlLists.*

networksecurity. urlLists. create
networksecurity. urlLists. delete
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity. urlLists. update
networksecurity.urlLists.use

networkservices.*

networkservices. authzExtensions. create
networkservices. authzExtensions. delete
networkservices. authzExtensions. get
networkservices. authzExtensions. list
networkservices. authzExtensions. update
networkservices. authzExtensions. use
networkservices. endpointPolicies. create
networkservices. endpointPolicies. delete
networkservices. endpointPolicies. get
networkservices. endpointPolicies. list
networkservices. endpointPolicies. update
networkservices. gateways. create
networkservices. gateways. delete
networkservices.gateways.get
networkservices.gateways.list
networkservices. gateways. update
networkservices.gateways.use
networkservices. grpcRoutes. create
networkservices. grpcRoutes. delete
networkservices.grpcRoutes.get
networkservices. grpcRoutes. list
networkservices. grpcRoutes. update
networkservices. httpFilters. create
networkservices. httpFilters. delete
networkservices. httpFilters. get
networkservices. httpFilters. list
networkservices. httpFilters. update
networkservices. httpRoutes. create
networkservices. httpRoutes. delete
networkservices.httpRoutes.get
networkservices. httpRoutes. list
networkservices. httpRoutes. update
networkservices. httpfilters. create
networkservices. httpfilters. delete
networkservices. httpfilters. get
networkservices. httpfilters. getIamPolicy
networkservices. httpfilters. list
networkservices. httpfilters. setIamPolicy
networkservices. httpfilters. update
networkservices. httpfilters. use
networkservices. lbEdgeExtensions. create
networkservices. lbEdgeExtensions. delete
networkservices. lbEdgeExtensions. get
networkservices. lbEdgeExtensions. list
networkservices. lbEdgeExtensions. update
networkservices. lbRouteExtensions. create
networkservices. lbRouteExtensions. delete
networkservices. lbRouteExtensions. get
networkservices. lbRouteExtensions. list
networkservices. lbRouteExtensions. update
networkservices. lbTcpExtensions. createForNetwork
networkservices. lbTcpExtensions. deleteForNetwork
networkservices. lbTcpExtensions. getForNetwork
networkservices. lbTcpExtensions. listForNetwork
networkservices. lbTcpExtensions. updateForNetwork
networkservices. lbTrafficExtensions. create
networkservices. lbTrafficExtensions. delete
networkservices. lbTrafficExtensions. get
networkservices. lbTrafficExtensions. list
networkservices. lbTrafficExtensions. update
networkservices.locations.get
networkservices.locations.list
networkservices.meshes.create
networkservices.meshes.delete
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.update
networkservices.meshes.use
networkservices. operations. cancel
networkservices. operations. delete
networkservices.operations.get
networkservices. operations. list
networkservices. route_views. get
networkservices. route_views. list
networkservices. serviceBindings. create
networkservices. serviceBindings. delete
networkservices. serviceBindings. get
networkservices. serviceBindings. list
networkservices. serviceBindings. update
networkservices. serviceLbPolicies. create
networkservices. serviceLbPolicies. delete
networkservices. serviceLbPolicies. get
networkservices. serviceLbPolicies. list
networkservices. serviceLbPolicies. update
networkservices. tcpRoutes. create
networkservices. tcpRoutes. delete
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices. tcpRoutes. update
networkservices. tlsRoutes. create
networkservices. tlsRoutes. delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices. tlsRoutes. update
networkservices. wasmPlugins. create
networkservices. wasmPlugins. delete
networkservices. wasmPlugins. get
networkservices. wasmPlugins. list
networkservices. wasmPlugins. update
networkservices. wasmPlugins. use

parallelstore.instances.create

parallelstore.instances.delete

parallelstore.instances.get

parallelstore. instances. importData

parallelstore.instances.list

parallelstore.instances.update

parallelstore.locations.*

parallelstore.locations.get
parallelstore.locations.list

parallelstore.operations.*

parallelstore. operations. cancel
parallelstore. operations. delete
parallelstore.operations.get
parallelstore.operations.list

pubsub.topics.create

pubsub.topics.get

pubsub.topics.publish

recommender. containerDiagnosisInsights.*

recommender. containerDiagnosisInsights. get
recommender. containerDiagnosisInsights. list
recommender. containerDiagnosisInsights. update

recommender. containerDiagnosisRecommendations.*

recommender. containerDiagnosisRecommendations. get
recommender. containerDiagnosisRecommendations. list
recommender. containerDiagnosisRecommendations. update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender. networkAnalyzerGkeConnectivityInsights.*

recommender. networkAnalyzerGkeConnectivityInsights. get
recommender. networkAnalyzerGkeConnectivityInsights. list
recommender. networkAnalyzerGkeConnectivityInsights. update

recommender. networkAnalyzerGkeIpAddressInsights.*

recommender. networkAnalyzerGkeIpAddressInsights. get
recommender. networkAnalyzerGkeIpAddressInsights. list
recommender. networkAnalyzerGkeIpAddressInsights. update

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager. tagValueBindings. create

servicedirectory. namespaces. create

servicedirectory. namespaces. delete

servicedirectory. services. create

servicedirectory. services. delete

servicenetworking. operations. get

servicenetworking. services. addPeering

servicenetworking. services. createPeeredDnsDomain

servicenetworking. services. deleteConnection

servicenetworking. services. deletePeeredDnsDomain

servicenetworking. services. disableVpcServiceControls

servicenetworking. services. enableVpcServiceControls

servicenetworking.services.get

servicenetworking. services. listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

tpu.locations.*

tpu.locations.get
tpu.locations.list

tpu.nodes.create

tpu.nodes.delete

tpu.nodes.get

tpu.nodes.list

tpu.operations.*

tpu.operations.get
tpu.operations.list

trafficdirector.*

trafficdirector. networks. getConfigs
trafficdirector. networks. reportMetrics

Kubernetes Engine Viewer

( roles/ container.viewer )

Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.

Lowest-level resources where you can grant this role:

Project

container.apiServices.get

container. apiServices. getStatus

container.apiServices.list

container.auditSinks.get

container.auditSinks.list

container.backendConfigs.get

container.backendConfigs.list

container.bindings.get

container.bindings.list

container. certificateSigningRequests. get

container. certificateSigningRequests. getStatus

container. certificateSigningRequests. list

container. clusterRoleBindings. get

container. clusterRoleBindings. list

container.clusterRoles.get

container.clusterRoles.list

container.clusters.connect

container.clusters.get

container.clusters.list

container.componentStatuses.*

container. componentStatuses. get
container. componentStatuses. list

container.configMaps.get

container.configMaps.list

container. controllerRevisions. get

container. controllerRevisions. list

container.cronJobs.get

container.cronJobs.getStatus

container.cronJobs.list

container.csiDrivers.get

container.csiDrivers.list

container.csiNodeInfos.get

container.csiNodeInfos.list

container.csiNodes.get

container.csiNodes.list

container. customResourceDefinitions. get

container. customResourceDefinitions. getStatus

container. customResourceDefinitions. list

container.daemonSets.get

container.daemonSets.getStatus

container.daemonSets.list

container.deployments.get

container.deployments.getScale

container. deployments. getStatus

container.deployments.list

container.endpointSlices.get

container.endpointSlices.list

container.endpoints.get

container.endpoints.list

container.events.get

container.events.list

container.frontendConfigs.get

container.frontendConfigs.list

container. horizontalPodAutoscalers. get

container. horizontalPodAutoscalers. getStatus

container. horizontalPodAutoscalers. list

container.ingresses.get

container.ingresses.getStatus

container.ingresses.list

container. initializerConfigurations. get

container. initializerConfigurations. list

container.jobs.get

container.jobs.getStatus

container.jobs.list

container.leases.get

container.leases.list

container.limitRanges.get

container.limitRanges.list

container. managedCertificates. get

container. managedCertificates. list

container. mutatingWebhookConfigurations. get

container. mutatingWebhookConfigurations. list

container.namespaces.get

container.namespaces.getStatus

container.namespaces.list

container.networkPolicies.get

container.networkPolicies.list

container.nodes.get

container.nodes.getStatus

container.nodes.list

container.operations.*

container.operations.get
container.operations.list

container. persistentVolumeClaims. get

container. persistentVolumeClaims. getStatus

container. persistentVolumeClaims. list

container. persistentVolumes. get

container. persistentVolumes. getStatus

container. persistentVolumes. list

container.petSets.get

container.petSets.list

container. podDisruptionBudgets. get

container. podDisruptionBudgets. getStatus

container. podDisruptionBudgets. list

container.podPresets.get

container.podPresets.list

container. podSecurityPolicies. get

container. podSecurityPolicies. list

container.podTemplates.get

container.podTemplates.list

container.pods.get

container.pods.getStatus

container.pods.list

container.priorityClasses.get

container.priorityClasses.list

container.replicaSets.get

container.replicaSets.getScale

container. replicaSets. getStatus

container.replicaSets.list

container. replicationControllers. get

container. replicationControllers. getScale

container. replicationControllers. getStatus

container. replicationControllers. list

container.resourceQuotas.get

container. resourceQuotas. getStatus

container.resourceQuotas.list

container.roleBindings.get

container.roleBindings.list

container.roles.get

container.roles.list

container.runtimeClasses.get

container.runtimeClasses.list

container.scheduledJobs.get

container.scheduledJobs.list

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.getStatus

container.services.list

container.statefulSets.get

container. statefulSets. getScale

container. statefulSets. getStatus

container.statefulSets.list

container.storageClasses.get

container.storageClasses.list

container.storageStates.get

container. storageStates. getStatus

container.storageStates.list

container. storageVersionMigrations. get

container. storageVersionMigrations. getStatus

container. storageVersionMigrations. list

container. thirdPartyObjects. get

container. thirdPartyObjects. list

container. thirdPartyResources. get

container. thirdPartyResources. list

container.tokenReviews.create

container.updateInfos.get

container.updateInfos.list

container. validatingWebhookConfigurations. get

container. validatingWebhookConfigurations. list

container. volumeAttachments. get

container. volumeAttachments. getStatus

container. volumeAttachments. list

container. volumeSnapshotClasses. get

container. volumeSnapshotClasses. list

container. volumeSnapshotContents. get

container. volumeSnapshotContents. getStatus

container. volumeSnapshotContents. list

container.volumeSnapshots.get

container.volumeSnapshots.list

recommender. containerDiagnosisInsights. get

recommender. containerDiagnosisInsights. list

recommender. containerDiagnosisRecommendations. get

recommender. containerDiagnosisRecommendations. list

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender. networkAnalyzerGkeConnectivityInsights. get

recommender. networkAnalyzerGkeConnectivityInsights. list

recommender. networkAnalyzerGkeIpAddressInsights. get

recommender. networkAnalyzerGkeIpAddressInsights. list

resourcemanager.projects.get

resourcemanager.projects.list

For more information about the individual permissions in each predefined role, see Google Kubernetes Engine roles and permissions . You can also view the permissions in each IAM role using the gcloud CLI or the Google Cloud console. For instructions, refer to View permissions granted by IAM roles .

Basic IAM roles

Basic IAM Roles grant users global, project-level access to all Google Cloud resources. To keep your project and clusters secure, use predefined Roles whenever possible.

To learn more about basic roles, refer to Basic roles in the IAM documentation.

Custom roles

If predefined roles don't meet your needs, you can create custom roles with permissions that you define.

To learn how to create and assign custom roles, refer to Creating and managing custom roles .

Choose roles and permissions for your principals

The principals in your Google Cloud environment, such as users and workloads, might need access to various Google Cloud resources to perform specific tasks. For example, consider a Kubernetes workload that uses Workload Identity Federation for GKE to store data in a Cloud Storage bucket. To give the workload the permissions that it needs, you grant a role that contains those permissions to the principal identifier for that workload.

The permissions that a principal needs depends on the following factors:

The resources that the principal needs to access, such as Cloud Storage buckets.
The task that the principal needs to perform, such as writing to a bucket or reading metadata.

You can give permissions to a principal by using a predefined role that contains those permissions, or by creating a custom role. Unless you require a custom role, we recommend that you use a predefined role. For more information about identifying the permissions that your principals need and giving those permissions to the principals, see Find the right predefined role .

View permissions granted by IAM roles

You can view the permissions granted by each role using the gcloud CLI or the Google Cloud console.

gcloud

To view the permissions granted by a specific role, run the following command:

 gcloud  
iam  
roles  
describe  
roles/ ROLE

Replace ROLE with any IAM role. GKE roles are prefixed with roles/container , such as gcloud iam roles describe roles/container.admin .

Console

To view the permissions granted by a specific role, perform the following steps:

Go to the Rolessection of the IAM & Adminpage on the Google Cloud console.

Go to IAM & Admin
To see the roles for GKE, in the Filter tablefield, enter Kubernetes Engine .
Select the role you want to view. The description of the role and a list of assigned permissions displays.

Manage IAM roles

To learn how to manage IAM roles and permissions for human users, refer to Granting, changing, and revoking access to project members in the IAM documentation.

For service accounts , refer to Granting roles to service accounts .

Examples of IAM use cases

Here are a few examples of how IAM works with GKE:

A new employee has joined a company. They need to be added to the Google Cloud project, but they only need to view the project's clusters and other Google Cloud resources. The project owner assigns them the project-level Compute Viewer role. This role provides read-only access to get and list nodes, which are Compute Engine resources.
The employee is working in operations, and they need to update a cluster using gcloud or the Google Cloud console. This operation requires the container.clusters.update permission, so the project owner assigns them the Kubernetes Engine Cluster Admin role. The employee now has the permissions granted by both the Kubernetes Engine Cluster Admin and Compute Viewer roles.
The employee needs to investigate why a Deployment is having issues. They need to run kubectl get pods to see Pods running in the cluster. The employee already has the Compute Viewer role, which is not sufficient for listing Pods. The employee needs the Kubernetes Engine Viewer role.
The employee needs to create a new cluster. The project owner grants the the Service Account User role on the PROJECT_NUMBER -compute@developer.gserviceaccount.com service account to the employee so that the employee's account can access Compute Engine's default service account. GKE attaches this service account to nodes by default so that system workloads can send data like logs and metrics to Google Cloud.

Create IAM allow policies

Before you begin

Use IAM with Kubernetes RBAC

Understand IAM roles

Predefined GKE roles

Kubernetes Engine Admin

Kubernetes Engine KMS Crypto Key User

Kubernetes Engine Cluster Admin

Kubernetes Engine Cluster Viewer

Kubernetes Engine Default Node Service Account

Kubernetes Engine Default Node Service Agent

Kubernetes Engine Developer

Kubernetes Engine Host Service Agent User

[Deprecated] Kubernetes Engine Node Service Agent

Kubernetes Engine Service Agent

Kubernetes Engine Viewer

Basic IAM roles

Custom roles

Choose roles and permissions for your principals

View permissions granted by IAM roles

gcloud

Console

Manage IAM roles

Examples of IAM use cases

What's next