| roles/cloudkms.autokeyUser |
Grants ability to use KeyHandle resources. |
Cloud KMS Autokey User |
['cloudkms.keyHandles.create', 'cloudkms.keyHandles.get', 'cloudkms.keyHandles.list', 'cloudkms.operations.get', 'cloudkms.projects.showEffectiveAutokeyConfig'] |
|
GA |
| roles/cloudkms.cryptoKeyDecrypter |
Enables Decrypt operations |
Cloud KMS CryptoKey Decrypter |
['cloudkms.cryptoKeyVersions.useToDecrypt', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkmskacls.serviceAgent |
Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption. |
Cloud KMS KACLS Service Agent |
['cloudkms.cryptoKeyVersions.useToDecrypt', 'cloudkms.cryptoKeyVersions.useToEncrypt', 'cloudkms.cryptoKeys.get'] |
|
GA |
| roles/cloudkms.cryptoKeyEncrypterDecrypter |
Enables Encrypt and Decrypt operations |
Cloud KMS CryptoKey Encrypter/Decrypter |
['cloudkms.cryptoKeyVersions.useToDecrypt', 'cloudkms.cryptoKeyVersions.useToEncrypt', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.protectedResourcesViewer |
Enables viewing protected resources. |
Cloud KMS Protected Resources Viewer |
['cloudkms.protectedResources.search'] |
|
GA |
| roles/cloudkms.expertRawAesCtr |
Enables raw AES-CTR keys management. |
Cloud KMS Expert Raw AES-CTR Key Manager |
['cloudkms.cryptoKeyVersions.manageRawAesCtrKeys', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/cloudkms.expertRawAesCbc |
Enables raw AES-CBC keys management. |
Cloud KMS Expert Raw AES-CBC Key Manager |
['cloudkms.cryptoKeyVersions.manageRawAesCbcKeys', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/cloudkms.orgServiceAgent |
Gives Cloud KMS organization-level service account access to managed resources. |
Cloud KMS Organization Service Agent |
['cloudasset.assets.searchAllResources'] |
|
GA |
| roles/cloudkms.signer |
Enables Sign operations |
Cloud KMS CryptoKey Signer |
['cloudkms.cryptoKeyVersions.useToSign', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation |
Enables Encrypt and Decrypt operations via other GCP services |
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation |
['cloudkms.cryptoKeyVersions.useToDecryptViaDelegation', 'cloudkms.cryptoKeyVersions.useToEncryptViaDelegation', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/cloudkms.cryptoKeyDecrypterViaDelegation |
Enables Decrypt operations via other GCP services |
Cloud KMS CryptoKey Decrypter Via Delegation |
['cloudkms.cryptoKeyVersions.useToDecryptViaDelegation', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/cloudkms.serviceAgent |
Gives Cloud KMS service account access to managed resources. |
Cloud KMS Service Agent |
['cloudasset.assets.listCloudkmsCryptoKeys'] |
|
GA |
| roles/cloudkms.cryptoOperator |
Enables all Crypto Operations. |
Cloud KMS Crypto Operator |
['cloudkms.cryptoKeyVersions.useToDecrypt', 'cloudkms.cryptoKeyVersions.useToEncrypt', 'cloudkms.cryptoKeyVersions.useToSign', 'cloudkms.cryptoKeyVersions.useToVerify', 'cloudkms.cryptoKeyVersions.viewPublicKey', 'cloudkms.locations.generateRandomBytes', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.verifier |
Enables Verify and GetPublicKey operations |
Cloud KMS CryptoKey Verifier |
['cloudkms.cryptoKeyVersions.useToVerify', 'cloudkms.cryptoKeyVersions.viewPublicKey', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.autokeyAdmin |
Enables management of AutokeyConfig. |
Cloud KMS Autokey Admin |
['cloudkms.autokeyConfigs.get', 'cloudkms.autokeyConfigs.update', 'cloudkms.projects.showEffectiveAutokeyConfig'] |
|
GA |
| roles/cloudkms.importer |
Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations |
Cloud KMS Importer |
['cloudkms.importJobs.create', 'cloudkms.importJobs.get', 'cloudkms.importJobs.list', 'cloudkms.importJobs.useToImport', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.cryptoKeyEncrypterViaDelegation |
Enables Encrypt operations via other GCP services |
Cloud KMS CryptoKey Encrypter Via Delegation |
['cloudkms.cryptoKeyVersions.useToEncryptViaDelegation', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/cloudkms.ekmConnectionsAdmin |
Enables management of EkmConnections. |
Cloud KMS EkmConnections Admin |
['cloudkms.ekmConfigs.get', 'cloudkms.ekmConfigs.update', 'cloudkms.ekmConnections.create', 'cloudkms.ekmConnections.get', 'cloudkms.ekmConnections.list', 'cloudkms.ekmConnections.update', 'cloudkms.ekmConnections.verifyConnectivity', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/cloudkms.signerVerifier |
Enables Sign, Verify, and GetPublicKey operations |
Cloud KMS CryptoKey Signer/Verifier |
['cloudkms.cryptoKeyVersions.useToSign', 'cloudkms.cryptoKeyVersions.useToVerify', 'cloudkms.cryptoKeyVersions.viewPublicKey', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.admin |
Enables management of crypto resources. |
Cloud KMS Admin |
['cloudkms.autokeyConfigs.get', 'cloudkms.autokeyConfigs.update', 'cloudkms.cryptoKeyVersions.create', 'cloudkms.cryptoKeyVersions.destroy', 'cloudkms.cryptoKeyVersions.get', 'cloudkms.cryptoKeyVersions.list', 'cloudkms.cryptoKeyVersions.restore', 'cloudkms.cryptoKeyVersions.update', 'cloudkms.cryptoKeyVersions.useToDecryptViaDelegation', 'cloudkms.cryptoKeyVersions.useToEncryptViaDelegation', 'cloudkms.cryptoKeys.create', 'cloudkms.cryptoKeys.get', 'cloudkms.cryptoKeys.getIamPolicy', 'cloudkms.cryptoKeys.list', 'cloudkms.cryptoKeys.setIamPolicy', 'cloudkms.cryptoKeys.update', 'cloudkms.ekmConfigs.get', 'cloudkms.ekmConfigs.getIamPolicy', 'cloudkms.ekmConfigs.setIamPolicy', 'cloudkms.ekmConfigs.update', 'cloudkms.ekmConnections.create', 'cloudkms.ekmConnections.get', 'cloudkms.ekmConnections.getIamPolicy', 'cloudkms.ekmConnections.list', 'cloudkms.ekmConnections.setIamPolicy', 'cloudkms.ekmConnections.update', 'cloudkms.ekmConnections.use', 'cloudkms.ekmConnections.verifyConnectivity', 'cloudkms.importJobs.create', 'cloudkms.importJobs.get', 'cloudkms.importJobs.getIamPolicy', 'cloudkms.importJobs.list', 'cloudkms.importJobs.setIamPolicy', 'cloudkms.importJobs.useToImport', 'cloudkms.keyHandles.create', 'cloudkms.keyHandles.get', 'cloudkms.keyHandles.list', 'cloudkms.keyRings.create', 'cloudkms.keyRings.createTagBinding', 'cloudkms.keyRings.deleteTagBinding', 'cloudkms.keyRings.get', 'cloudkms.keyRings.getIamPolicy', 'cloudkms.keyRings.list', 'cloudkms.keyRings.listEffectiveTags', 'cloudkms.keyRings.listTagBindings', 'cloudkms.keyRings.setIamPolicy', 'cloudkms.locations.get', 'cloudkms.locations.list', 'cloudkms.locations.optOutKeyDeletionMsa', 'cloudkms.operations.get', 'cloudkms.projects.showEffectiveAutokeyConfig', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.viewer |
Enables Get and List operations. |
Cloud KMS Viewer |
['cloudkms.autokeyConfigs.get', 'cloudkms.cryptoKeyVersions.get', 'cloudkms.cryptoKeyVersions.list', 'cloudkms.cryptoKeys.get', 'cloudkms.cryptoKeys.list', 'cloudkms.ekmConfigs.get', 'cloudkms.ekmConnections.get', 'cloudkms.ekmConnections.list', 'cloudkms.importJobs.get', 'cloudkms.importJobs.list', 'cloudkms.keyHandles.get', 'cloudkms.keyHandles.list', 'cloudkms.keyRings.get', 'cloudkms.keyRings.list', 'cloudkms.locations.get', 'cloudkms.locations.list', 'cloudkms.operations.get', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.cryptoKeyEncrypter |
Enables Encrypt operations |
Cloud KMS CryptoKey Encrypter |
['cloudkms.cryptoKeyVersions.useToEncrypt', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.publicKeyViewer |
Enables GetPublicKey operations |
Cloud KMS CryptoKey Public Key Viewer |
['cloudkms.cryptoKeyVersions.viewPublicKey', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get'] |
|
GA |
| roles/cloudkms.expertRawPKCS1 |
Enables raw PKCS#1 keys management. |
Cloud KMS Expert Raw PKCS#1 Key Manager |
['cloudkms.cryptoKeyVersions.manageRawPKCS1Keys', 'cloudkms.locations.get', 'cloudkms.locations.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |