Permissions

Network Project

The Role Definition (list of permissions included for a role) for the network project role, the service engine project role, and the storage project role are tabulated here:


Permissions	Role Definition Files
compute.networks.get compute.networks.list compute.networks.updatePolicy compute.regions.get compute.routes.create compute.routes.delete compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use	network_project_role.yaml

Service Engine Project


Permissions	Role Definition Files
compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.addresses.use compute.disks.create compute.forwardingRules.get compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.list compute.globalOperations.get compute.images.create compute.images.delete compute.images.get compute.images.list compute.images.setLabels compute.images.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.list compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.use compute.machineTypes.get compute.machineTypes.list compute.regionOperations.get compute.regions.get compute.regions.list compute.targetPools.addInstance compute.targetPools.create compute.targetPools.delete compute.targetPools.get compute.targetPools.list compute.targetPools.removeInstance compute.targetPools.use compute.zoneOperations.get compute.zones.list	service_engine_project_role.yaml

GCP Instance Group Autoscaling Service Engine Project


Permissions	Role Definition Files
pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy	autoscaling_service_engine_project_role.yaml

ILB, BYOIP Service Engine Project


Permissions	Role Definition Files
compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.setLabels compute.addresses.use compute.addresses.useInternal compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.list compute.healthChecks.update compute.healthChecks.use compute.healthChecks.useReadOnly compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.setSecurityPolicy compute.regionBackendServices.update compute.regionBackendServices.use	ilb_service_engine_project_role.yaml

Storage Project


Permissions	Role Definition Files
storage.buckets.create storage.buckets.delete storage.objects.create storage.objects.delete storage.objects.list	storage_project_role.yaml

GCP Instance Group Autoscaling Server Project


Permissions	Role Definition Files
compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.list compute.projects.get logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.list logging.sinks.update	server_project_role.yaml

Cluster IP


Permissions	Role Definition Files
compute.instances.get compute.instances.list compute.instances.updateNetworkInterface	cluster_vip_role.yaml

Service Account Project


Permissions	Role Definition Files
compute.instances.setServiceAccount iam.serviceAccountUser	Pre-created in GCP

Creating Roles in GCP

You can create custom roles either by using the gcloud command-line tool or the GCP console.