This page describes the Identity and Access Management (IAM) permissions that are necessary to perform specific Secure Web Proxy operations. It also explains how to create a custom IAM role and assign the required permissions to the role for managing various Secure Web Proxy resources.
Permissions
The following table lists the permissions that you require to perform specific operations in Secure Web Proxy. For more information, see the IAM permissions reference .
networksecurity.gatewaySecurityPolicies.create
networksecurity.gatewaySecurityPolicies.delete
networksecurity.gatewaySecurityPolicies.get
networksecurity.gatewaySecurityPolicies.list
networksecurity.gatewaySecurityPolicies.update
networksecurity.gatewaySecurityPolicyRules.create
networksecurity.gatewaySecurityPolicyRules.delete
networksecurity.gatewaySecurityPolicyRules.get
networksecurity.gatewaySecurityPolicyRules.list
networksecurity.gatewaySecurityPolicyRules.update
networksecurity.operations.get
networksecurity.tlsInspectionPolicies.create
networksecurity.tlsInspectionPolicies.delete
networksecurity.tlsInspectionPolicies.get
networksecurity.tlsInspectionPolicies.list
networksecurity.tlsInspectionPolicies.update
networksecurity.tlsInspectionPolicies.use
networksecurity.urlLists.create
networksecurity.urlLists.delete
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.update
networksecurity.urlLists.use
-
certificatemanager.certs.get -
certificatemanager.certs.list -
certificatemanager.certs.use -
compute.addresses.create -
compute.addresses.createInternal -
compute.addresses.list -
compute.instances.update -
compute.networks.get -
compute.networks.list -
compute.projects.get -
compute.regionOperations.get -
compute.routers.create -
compute.routers.delete -
compute.routers.get -
compute.routers.list -
compute.routers.update -
compute.subnetworks.get -
compute.subnetworks.list -
networksecurity.gatewaySecurityPolicies.get -
networksecurity.gatewaySecurityPolicies.list -
networksecurity.gatewaySecurityPolicies.use -
networksecurity.gatewaySecurityPolicyRules.get -
networksecurity.gatewaySecurityPolicyRules.list -
networksecurity.locations.list -
networksecurity.urlLists.get -
networksecurity.urlLists.list -
networksecurity.urlLists.use -
networkservices.gateways.create -
networkservices.gateways.delete -
networkservices.gateways.get -
networkservices.gateways.list -
networkservices.gateways.update -
networkservices.gateways.use -
networkservices.locations.list -
networkservices.operations.get -
networkservices.operations.list -
resourcemanager.projects.get -
resourcemanager.projects.list -
serviceusage.quotas.get -
serviceusage.services.get -
serviceusage.services.list
Roles
To get the permissions that you need to provision a Secure Web Proxy instance, ask your administrator to grant you the following IAM roles on your project:
- To configure policies and provision a Secure Web Proxy instance: Compute Network Admin role
(
roles/compute.networkAdmin) - To upload explicit Secure Web Proxy TLS certificates: Certificate Manager Editor role
(
roles/certificatemanager.editor)
For more information about granting roles, see Manage access to projects, folders, and organizations .
You might also be able to get the required permissions through custom roles or other predefined roles.
Optional: If you have a set of users who are responsible for managing your
Compute Engine organization security policies, then grant them the Compute Organization Security Policy Admin role
( roles/compute.orgSecurityPolicyAdmin
).
For more information about project roles and permissions, see the following:
- Identity and Access Management documentation
- Compute Engine API documentation
- Cloud Monitoring API documentation
What's next
- To complete the initial tasks to set up Secure Web Proxy, see Initial setup steps .
