Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

Name: The name of a role displayed in the user interface (UI).
Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
Level: The specification of whether this role is scoped by the organization or a project.
Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
Escalates to: The specification of whether this role escalates to other roles or not.

All roles have the role type IAMRole. Grant a subject with permissions in the global API server using IAMRoleBinding to a predefined IAMRole. All role and role bindings are global.

AO audience group, predefined identity, and access roles

AO audience group
Name	Kubernetes resource name	Initial admin	Level
AI OCR Developer	`ai-ocr-developer`	False	Project
AI Platform Viewer	`ai-platform-viewer`	False	Project
AI Speech Chirp Developer	`ai-speech-chirp-developer`	False	Project
AI Speech Developer	`ai-speech-developer`	False	Project
AI Text Embedding Developer	`ai-text-embedding-developer`	False	Project
AI Text Embedding Multilingual Developer	`ai-text-embedding-multilingual-developer`	False	Project
AI Translation Developer	`ai-translation-developer`	False	Project
Backup Creator	`backup-creator`	False	Project
Certificate Authority Service Admin	`certificate-authority-service-admin`	False	Project
Custom Role Project Admin	`global-custom-role-project-admin`	False	Project
Dashboard Editor	`dashboard-editor`	False	Project
Dashboard Viewer	`dashboard-viewer`	False	Project
Discovery Engine Admin	`vaisearch-admin`	False	Project
Discovery Engine Developer	`vaisearch-developer`	False	Project
Discovery Engine Reader	`vaisearch-reader`	False	Project
Global Load Balancer Admin	`global-load-balancer-admin`	False	Project
Harbor Instance Admin	`harbor-instance-admin`	False	Project
Harbor Instance Viewer	`harbor-instance-viewer`	False	Project
Harbor Project Creator	`harbor-project-creator`	False	Project
K8s NetworkPolicy Admin	`k8s-networkpolicy-admin`	False	Project
KMS Admin	`kms-admin`	False	Project
KMS Creator	`kms-creator`	False	Project
KMS Developer	`kms-developer`	False	Project
KMS Key Export Admin	`kms-keyexport-admin`	False	Project
KMS Key Import Admin	`kms-keyimport-admin`	False	Project
KMS Viewer	`kms-viewer`	False	Project
Load Balancer Admin	`load-balancer-admin`	False	Project
LoggingRule Creator	`loggingrule-creator`	False	Project
LoggingRule Editor	`loggingrule-editor`	False	Project
LoggingRule Viewer	`loggingrule-viewer`	False	Project
LoggingTarget Creator	`loggingtarget-creator`	False	Project
LoggingTarget Editor	`loggingtarget-editor`	False	Project
LoggingTarget Viewer	`loggingtarget-viewer`	False	Project
Marketplace Editor	`marketplace-editor`	False	Project
MonitoringRule Editor	`monitoringrule-editor`	False	Project
MonitoringRule Viewer	`monitoringrule-viewer`	False	Project
MonitoringTarget Editor	`monitoringtarget-editor`	False	Project
MonitoringTarget Viewer	`monitoringtarget-viewer`	False	Project
Namespace Admin	`namespace-admin`	False	Project
NAT Viewer	`nat-viewer`	False	Project
ObservabilityPipeline Editor	`observabilitypipeline-editor`	False	Project
ObservabilityPipeline Viewer	`observabilitypipeline-viewer`	False	Project
Project Bucket Admin	`project-bucket-admin`	False	Project
Project Bucket Object Admin	`project-bucket-object-admin`	False	Project
Project Bucket Object Viewer	`project-bucket-object-viewer`	False	Project
Project IAM Admin	`project-iam-admin`	True	Project
Project NetworkPolicy Admin	`project-networkpolicy-admin`	False	Project
Project DB Admin	`project-db-admin`	False	Project
Project DB Editor	`project-db-editor`	False	Project
Project DB Viewer	`project-db-viewer`	False	Project
Project Viewer	`project-viewer`	False	Project
Project VirtualMachine Admin	`project-vm-admin`	False	Project
Project VirtualMachine Image Admin	`project-vm-image-admin`	False	Project
Secret Admin	`secret-admin`	False	Project
Secret Viewer	`secret-viewer`	False	Project
Service Configuration Admin	`service-configuration-admin`	False	Project
Service Configuration Viewer	`service-configuration-viewer`	False	Project
Subnet Project Admin	`subnet-project-admin`	False	Project
Subnet Project Operator	`subnet-project-operator`	False	Project
Volume Replication Admin	`app-volume-replication-admin`	False	Cluster
Vertex AI Prediction User	`vertex-ai-prediction-user`	False	Project
Workbench Notebooks Admin	`workbench-notebooks-admin`	False	Project
Workbench Notebooks Viewer	`workbench-notebooks-viewer`	False	Project

AO audience group, predefined identity, and access roles

AO audience group
Name	Management API server permissions	Kubernetes cluster permissions	Escalates to
AI OCR Developer	OCR resources: Read and write	N/A	N/A
AI Speech Chirp Developer	Speech Chirp resources: Read and write	N/A	N/A
AI Speech Developer	Speech resources: Read and write	N/A	N/A
AI Text Embedding Developer	Text Embedding resources: Read and write	N/A	N/A
AI Text Embedding Multilingual Developer	Text Embedding Multilingual resources: Read and write	N/A	N/A
AI Translation Developer	Translation resources: Read and write	N/A	N/A
Backup Creator	N/A	Manual backups and restores: Create, read, and delete Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read	N/A
Certificate Authority Service Admin	Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch	N/A	N/A
Custom Role Project Admin	`RoleBinding`: Create, read, update, and delete List project namespace	N/A	All other AO roles
Dashboard Editor	`Dashboard` custom resources: Get, read, create, update, delete, and patch	N/A	N/A
Dashboard Viewer	`Dashboard`: Get and read	N/A	N/A
Discovery Engine Admin	`Discovery Engine`: Get, read, create, update, delete, and patch	N/A	N/A
Discovery Engine Developer	`Discovery Engine`: Get and read	N/A	N/A
Discovery Engine Reader	`Discovery Engine`: Read	N/A	N/A
Global Load Balancer Admin	N/A	`HealthCheck`: Get, watch, list, create, patch, update, and delete `BackendService`: Get, watch, list, create, patch, update, and delete `ForwardingRuleExternal`: Get, watch, list, create, patch, update, and delete `ForwardingRuleInternal`: Get, watch, list, create, patch, update, and delete	N/A
Harbor Instance Admin	Harbor instances: Create, read, update, delete, and patch	N/A	N/A
Harbor Instance Viewer	Harbor instances: Read	N/A	N/A
Harbor Project Creator	Harbor instance projects: Create, get, and watch	N/A	N/A
K8s NetworkPolicy Admin	`NetworkPolicy` resources: Create, read, get, update, delete, and patch	N/A	N/A
KMS Admin	`AEADKey`: Create, read, update, delete, patch, encrypt, and decrypt `SigningKey`: Create, read, update, delete, patch, and sign `KeyImport` and `KeyExport`: Read	N/A	N/A
KMS Creator	`AEADKey` and `SigningKey`: Create and read	N/A	N/A
KMS Developer	`AEADKey` in the project namespace: Read, encrypt, and decrypt `SigningKey` in the project namespace: Read and sign	N/A	N/A
KMS Key Export Admin	`KeyExport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Key Import Admin	`KeyImport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Viewer	`AEADKey`, `SigningKey`, `KeyImport`, `KeyExport`: Read	N/A	N/A
Load Balancer Admin	N/A	`Backend`: Get, watch, list, create, patch, update, and delete `HealthCheck`: Get, watch, list, create, patch, update, and delete `BackendService`: Get, watch, list, create, patch, update, and delete `ForwardingRuleExternal`: Get, watch, list, create, patch, update, and delete `ForwardingRuleInternal`: Get, watch, list, create, patch, update, and delete	N/A
LoggingRule Creator	`LoggingRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingRule Editor	`LoggingRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingRule Viewer	`LoggingRule` custom resources: Read	N/A	N/A
LoggingTarget Creator	`LoggingTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingTarget Editor	`LoggingTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingTarget Viewer	`LoggingTarget` custom resources: Read	N/A	N/A
Marketplace Editor	N/A	Service instances: Create, update, and delete	N/A
MonitoringRule Editor	`MonitoringRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringRule Viewer	`MonitoringRule` custom resources: Read	N/A	N/A
MonitoringTarget Editor	`MonitoringTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringTarget Viewer	`MonitoringTarget` custom resources: Read	N/A	N/A
Namespace Admin	N/A	All resources: Read and write access in the project namespace	N/A
NAT Viewer	N/A	Deployments: Get and read	N/A
ObservabilityPipeline Editor	`ObservabilityPipeline` resources: Get, read, create, update, delete, and patch	N/A	N/A
ObservabilityPipeline Viewer	`ObservabilityPipeline` resources: Get and read	N/A	N/A
Project Bucket Admin	Bucket: Read and write in the project namespace	N/A	N/A
Project Bucket Object Admin	Bucket: Read Objects: Read and write	N/A	N/A
Project Bucket Object Viewer	Bucket and objects: Read	N/A	N/A
Project IAM Admin	`IAMRoleBinding` and `IAMRole`: Create, read, update, delete, and bind `ProjectServiceAccount`: Create, read, update, and delete List project namespace	N/A	All other AO roles
Project NetworkPolicy Admin	Project network policies: Read and write in the project namespace	N/A	N/A
Project DB Admin	Database versions, flags, maintenance policies, software libraries, and database project properties: Read Backup plans and database clusters: Create, read, update, and delete Imports, exports, and restores: Create, read, and delete Secrets: Create, delete, and update Migrations and external servers: Create, read, update, delete, and patch	N/A	N/A
Project DB Editor	Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read Imports: Create, read, and delete Database clusters: Read and update Secrets: Create and delete	N/A	N/A
Project DB Viewer	Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read	N/A	N/A
Project Viewer	All resources in the project namespace: Read	N/A	N/A
Project VirtualMachine Admin	Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete Virtual machine restart: Put Virtual machine images, backup plans, and backup plan templates: Read	N/A	N/A
Project VirtualMachine Image Admin	VM images: Read VM image imports: Read and write Buckets: Create "vm-images-bucket" Bucket: Read and write	N/A	N/A
Secret Admin	Kubernetes secrets: Read, create, update, delete, and patch	N/A	N/A
Secret Viewer	Kubernetes secrets: Read	N/A	N/A
Service Configuration Admin	`ServiceConfigurations`: Read and write	N/A	N/A
Service Configuration Viewer	`ServiceConfigurations`: Read	N/A	N/A
Subnet Project Admin	Subnets: Create, read, update, and delete.	N/A	N/A
Subnet Project Operator	Subnets: Create, read, update, and delete.	N/A	N/A
Vertex AI Prediction User	Online Predictions: Read and write	N/A	N/A
Volume Replication Admin	`Volume failovers, volume relationship replicas`: Create, get, list, watch, delete	N/A	N/A
Workbench Notebooks Admin	N/A	Notebook custom resources (CR) in the project namespace: Create, read, update, and delete `ClusterInfo` objects: Read	N/A
Workbench Notebooks Viewer	N/A	Notebook custom resources (CR) in the project namespace: Read	N/A
Workload Viewer	N/A	Pod custom resources in the project namespace: Read Deployment custom resources in the project namespace: Read	N/A

Common predefined identity and access roles

Common roles
Name	Kubernetes resource name	Initial admin	Level
AI Platform Viewer	`ai-platform-viewer`	False	Project
DB UI Viewer	`db-ui-viewer`	False	Project
DB Options Viewer	`db-options-viewer`	False	Project
DNS Suffix Viewer	`dnssuffix-viewer`	False	Organization
Flow Log Admin	`flowlog-admin`	False	Organization
Flow Log Viewer	`flowlog-viewer`	False	Project
Marketplace Viewer	`marketplace-viewer`	False	Project
Pricing Calculator User	`pricingcalculator-user`	False	Project
Project Discovery Viewer	`projectdiscovery-viewer`	False	Project
Public Image Viewer	`public-image-viewer`	False	Organization
Virtual Machine Type Viewer	`virtualmachinetype-viewer`	True	Organization
VM Type Viewer	`vmtype-viewer`	False	Organization

Common predefined identity and access roles

Common roles
Name	Admin cluster permissions	User cluster permissions	Escalates to
AI Platform Viewer	Pre-trained services: Read	N/A	N/A
DB Options Viewer	DBS configurations: Read	N/A	N/A
DB UI Viewer	DBS UI configurations: Read	N/A	N/A
DNS Suffix Viewer	DNS suffix config maps: Read	N/A	N/A
Flow Log Admin	Flow log resources: Get and read	Flow log resources: Get and read	N/A
Flow Log Viewer	Flow log resources: Create, get, read, patch, update, and delete	Flow log resources: Create, get, read, patch, update, and delete	N/A
Marketplace Viewer	Service versions: Read	N/A	N/A
Pricing Calculator User	N/A	`SkuDescriptions`: Read	N/A
Project Discovery Viewer	Projects: Read	N/A	N/A
Public Image Viewer	VM images: Read	N/A	N/A
VM Type Viewer	VM types: Read	N/A	N/A

Role definitions for projects Stay organized with collections Save and categorize content based on your preferences.

AO audience group, predefined identity, and access roles

AO audience group, predefined identity, and access roles

Common predefined identity and access roles

Common predefined identity and access roles

Role definitions for projects