Access control with IAM

This page describes the Identity and Access Management (IAM) roles required to configure VPC Service Controls.

Required roles

The following table lists the permissions and roles required to create and list access policies:

You can only create, list, or delegate scoped policies if you have those permissions at the organization level. After you create a scoped policy, you can grant permission to manage the policy by adding IAM bindings on the scoped policy.

Permissions granted at the organization-level apply to all access policies, including the organization-level policy and any scoped policies.

The following predefined IAM roles provide the necessary permissions to view or configure service perimeters and access levels:

• Access Context Manager Admin ( roles/accesscontextmanager.policyAdmin )
• Access Context Manager Editor ( roles/accesscontextmanager.policyEditor )
• Access Context Manager Reader ( roles/accesscontextmanager.policyReader )

To grant one of these roles, use the Google Cloud console or run one of the following commands in the gcloud CLI. Replace ORGANIZATION_ID with the ID of your Google Cloud organization.

Grant Manager Admin role to allow read-write access

gcloud  
organizations  
add-iam-policy-binding  
 ORGANIZATION_ID 
  
 \ 
  
--member = 
 "user:example@customer.org" 
  
 \ 
  
--role = 
 "roles/accesscontextmanager.policyAdmin" 

Grant Manager Editor role to allow read-write access

gcloud  
organizations  
add-iam-policy-binding  
 ORGANIZATION_ID 
  
 \ 
  
--member = 
 "user:example@customer.org" 
  
 \ 
  
--role = 
 "roles/accesscontextmanager.policyEditor" 

Grant Manager Reader role to allow read-only access

gcloud  
organizations  
add-iam-policy-binding  
 ORGANIZATION_ID 
  
 \ 
  
--member = 
 "user:example@customer.org" 
  
 \ 
  
--role = 
 "roles/accesscontextmanager.policyReader"