Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

All roles have the role type IAMRole. Grant a subject with permissions in the global API server using IAMRoleBinding to a predefined IAMRole. All role and role bindings are global.

AO persona, predefined identity, and access roles

AO persona
Name Kubernetes resource name Initial admin Level
AI Gemini Flash Developer ai-gemini-flash-developer False Project
AI OCR Developer ai-ocr-developer False Project
AI Platform Viewer ai-platform-viewer False Project
AI Speech Chirp Developer ai-speech-chirp-developer False Project
AI Speech Developer ai-speech-developer False Project
AI Text Embedding Developer ai-text-embedding-developer False Project
AI Text Embedding Multilingual Developer ai-text-embedding-multilingual-developer False Project
AI Translation Developer ai-translation-developer False Project
Artifact Management Admin artifact-management-admin False Project
Artifact Management Editor artifact-management-editor False Project
Backup Creator backup-creator False Project
Certificate Authority Service Admin certificate-authority-service-admin False Project
Dashboard Editor dashboard-editor False Project
Dashboard Viewer dashboard-viewer False Project
Discovery Engine Admin vaisearch-admin False Project
Discovery Engine Developer vaisearch-developer False Project
Discovery Engine Reader vaisearch-reader False Project
Global Load Balancer Admin global-load-balancer-admin False Project
Harbor Instance Admin harbor-instance-admin False Project
Harbor Instance Viewer harbor-instance-viewer False Project
Harbor Project Creator harbor-project-creator False Project
K8s NetworkPolicy Admin k8s-networkpolicy-admin False Project
KMS Admin kms-admin False Project
KMS Creator kms-creator False Project
KMS Developer kms-developer False Project
KMS Key Export Admin kms-keyexport-admin False Project
KMS Key Import Admin kms-keyimport-admin False Project
KMS Viewer kms-viewer False Project
Load Balancer Admin load-balancer-admin False Project
LoggingRule Creator loggingrule-creator False Project
LoggingRule Editor loggingrule-editor False Project
LoggingRule Viewer loggingrule-viewer False Project
LoggingTarget Creator loggingtarget-creator False Project
LoggingTarget Editor loggingtarget-editor False Project
LoggingTarget Viewer loggingtarget-viewer False Project
Marketplace Editor marketplace-editor False Project
MonitoringRule Editor monitoringrule-editor False Project
MonitoringRule Viewer monitoringrule-viewer False Project
MonitoringTarget Editor monitoringtarget-editor False Project
MonitoringTarget Viewer monitoringtarget-viewer False Project
Namespace Admin namespace-admin False Project
NAT Viewer nat-viewer False Project
ObservabilityPipeline Editor observabilitypipeline-editor False Project
ObservabilityPipeline Viewer observabilitypipeline-viewer False Project
Project Bucket Admin project-bucket-admin False Project
Project Bucket Object Admin project-bucket-object-admin False Project
Project Bucket Object Viewer project-bucket-object-viewer False Project
Project NetworkPolicy Admin project-networkpolicy-admin False Project
Project DB Admin project-db-admin False Project
Project DB Editor project-db-editor False Project
Project DB Viewer project-db-viewer False Project
Project IAM Admin project-iam-admin True Project
Project Viewer project-viewer False Project
Project VirtualMachine Admin project-vm-admin False Project
Project VirtualMachine Image Admin project-vm-image-admin False Project
Secret Admin secret-admin False Project
Secret Viewer secret-viewer False Project
Service Configuration Admin service-configuration-admin False Project
Service Configuration Viewer service-configuration-viewer False Project
Volume Replication Admin app-volume-replication-admin False Cluster
Vertex AI Prediction User vertex-ai-prediction-user False Project
Workbench Notebooks Admin workbench-notebooks-admin False Project
Workbench Notebooks Viewer workbench-notebooks-viewer False Project

AO persona, predefined identity, and access roles

AO persona
Name Management API server permissions Kubernetes cluster permissions Escalates to
AI Gemini Flash Developer Gemini Flash resources: Read and write N/A N/A
AI OCR Developer OCR resources: Read and write N/A N/A
AI Speech Chirp Developer Speech Chirp resources: Read and write N/A N/A
AI Speech Developer Speech resources: Read and write N/A N/A
AI Text Embedding Developer Text Embedding resources: Read and write N/A N/A
AI Text Embedding Multilingual Developer Text Embedding Multilingual resources: Read and write N/A N/A
AI Translation Developer Translation resources: Read and write N/A N/A
Backup Creator N/A
  • Manual backups and restores: Create, read, and delete
  • Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read
 N/A
Certificate Authority Service Admin Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch N/A N/A
Dashboard Editor Dashboard custom resources: Get, read, create, update, delete, and patch N/A N/A
Dashboard Viewer Dashboard: Get and read N/A N/A
Discovery Engine Admin Discovery Engine: Get, read, create, update, delete, and patch N/A N/A
Discovery Engine Developer Discovery Engine: Get and read N/A N/A
Discovery Engine Reader Discovery Engine: Read N/A N/A
Global Load Balancer Admin N/A
  • HealthCheck: Get, watch, list, create, patch, update, and delete
  • BackendService: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleExternal: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleInternal: Get, watch, list, create, patch, update, and delete
 N/A
Harbor Instance Admin Harbor instances: Create, read, update, delete, and patch N/A N/A
Harbor Instance Viewer Harbor instances: Read N/A N/A
Harbor Project Creator Harbor instance projects: Create, get, and watch N/A N/A
K8s NetworkPolicy Admin NetworkPolicy resources: Create, read, get, update, delete, and patch N/A N/A
KMS Admin
  • AEADKey: Create, read, update, delete, patch, encrypt, and decrypt
  • SigningKey: Create, read, update, delete, patch, and sign
  • KeyImport and KeyExport: Read
 N/A N/A
KMS Creator AEADKey and SigningKey: Create and read N/A N/A
KMS Developer
  • AEADKey in the project namespace: Read, encrypt, and decrypt
  • SigningKey in the project namespace: Read and sign
 N/A N/A
KMS Key Export Admin KeyExport resource: Create, read, update, patch, and delete N/A N/A
KMS Key Import Admin KeyImport resource: Create, read, update, patch, and delete N/A N/A
KMS Viewer AEADKey, SigningKey, KeyImport, KeyExport: Read N/A N/A
Load Balancer Admin N/A
  • Backend: Get, watch, list, create, patch, update, and delete
  • HealthCheck: Get, watch, list, create, patch, update, and delete
  • BackendService: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleExternal: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleInternal: Get, watch, list, create, patch, update, and delete
 N/A
LoggingRule Creator LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
LoggingRule Editor LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
LoggingRule Viewer LoggingRule custom resources: Read N/A N/A
LoggingTarget Creator LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
LoggingTarget Editor LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
LoggingTarget Viewer LoggingTarget custom resources: Read N/A N/A
Marketplace Editor N/A Service instances: Create, update, and delete N/A
MonitoringRule Editor MonitoringRule custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringRule Viewer MonitoringRule custom resources: Read N/A N/A
MonitoringTarget Editor MonitoringTarget custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringTarget Viewer MonitoringTarget custom resources: Read N/A N/A
Namespace Admin N/A All resources: Read and write access in the project namespace N/A
NAT Viewer N/A Deployments: Get and read N/A
ObservabilityPipeline Editor ObservabilityPipeline resources: Get, read, create, update, delete, and patch N/A N/A
ObservabilityPipeline Viewer ObservabilityPipeline resources: Get and read N/A N/A
Project Bucket Admin Bucket: Read and write in the project namespace N/A N/A
Project Bucket Object Admin
  • Bucket: Read
  • Objects: Read and write
 N/A N/A
Project Bucket Object Viewer Bucket and objects: Read N/A N/A
Project IAM Admin
  • IAMRoleBinding and IAMRole: Create, read, update, delete, and bind
  • ProjectServiceAccount: Create, read, update, and delete
  • List project namespace
 N/A All other AO roles
Project NetworkPolicy Admin Project network policies: Read and write in the project namespace N/A N/A
Project DB Admin
  • Database versions, flags, maintenance policies, software libraries, and database project properties: Read
  • Backup plans and database clusters: Create, read, update, and delete
  • Imports, exports, and restores: Create, read, and delete
  • Secrets: Create, delete, and update
  • Migrations and external servers: Create, read, update, delete, and patch
 N/A N/A
Project DB Editor
  • Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read
  • Imports: Create, read, and delete
  • Database clusters: Read and update
  • Secrets: Create and delete
 N/A N/A
Project DB Viewer Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read N/A N/A
Project Viewer All resources in the project namespace: Read N/A N/A
Project VirtualMachine Admin
  • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
  • Virtual machine restart: Put
  • Virtual machine images, backup plans, and backup plan templates: Read
 N/A N/A
Project VirtualMachine Image Admin
  • VM images: Read
  • VM image imports: Read and write
 N/A N/A
Secret Admin Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
Secret Viewer Kubernetes secrets: Read N/A N/A
Service Configuration Admin ServiceConfigurations: Read and write N/A N/A
Service Configuration Viewer ServiceConfigurations: Read N/A N/A
Vertex AI Prediction User Online Predictions: Read and write N/A N/A
Volume Replication Admin Volume failovers, volume relationship replicas: Create, get, list, watch, delete N/A N/A
Workbench Notebooks Admin N/A
  • Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
  • ClusterInfo objects: Read
 N/A
Workbench Notebooks Viewer N/A
  • Notebook custom resources (CR) in the project namespace: Read
 N/A
Workload Viewer N/A
  • Pod custom resources in the project namespace: Read
  • Deployment custom resources in the project namespace: Read
 N/A

Common predefined identity and access roles

Common roles
Name Kubernetes resource name Initial admin Level
AI Platform Viewer ai-platform-viewer False Project
DB UI Viewer db-ui-viewer False Project
DB Options Viewer db-options-viewer False Project
DNS Suffix Viewer dnssuffix-viewer False Organization
Flow Log Admin flowlog-admin False Organization
Flow Log Viewer flowlog-viewer False Project
Marketplace Viewer marketplace-viewer False Project
Pricing Calculator User pricingcalculator-user False Project
Project Discovery Viewer projectdiscovery-viewer False Project
Public Image Viewer public-image-viewer False Organization
Virtual Machine Type Viewer virtualmachinetype-viewer True Organization
VM Type Viewer vmtype-viewer False Organization

Common predefined identity and access roles

Common roles
Name Admin cluster permissions User cluster permissions Escalates to
AI Platform Viewer Pre-trained services: Read N/A N/A
DB Options Viewer DBS configurations: Read N/A N/A
DB UI Viewer DBS UI configurations: Read N/A N/A
DNS Suffix Viewer DNS suffix config maps: Read N/A N/A
Flow Log Admin Flow log resources: Get and read Flow log resources: Get and read N/A
Flow Log Viewer Flow log resources: Create, get, read, patch, update, and delete Flow log resources: Create, get, read, patch, update, and delete N/A
Marketplace Viewer Service versions: Read N/A N/A
Pricing Calculator User N/A SkuDescriptions: Read N/A
Project Discovery Viewer Projects: Read N/A N/A
Public Image Viewer VM images: Read N/A N/A
VM Type Viewer VM types: Read N/A N/A