| roles/gkehub.gatewayAdmin |
Full access to Connect Gateway. |
Connect Gateway Admin |
['gkehub.gateway.delete', 'gkehub.gateway.generateCredentials', 'gkehub.gateway.get', 'gkehub.gateway.patch', 'gkehub.gateway.post', 'gkehub.gateway.put', 'gkehub.gateway.stream', 'gkehub.memberships.get', 'serviceusage.services.get'] |
|
GA |
| roles/gkehub.crossProjectServiceAgent |
Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration. |
GKE Hub Cross Project Service Agent |
['resourcemanager.projects.getIamPolicy', 'resourcemanager.projects.setIamPolicy'] |
|
GA |
| roles/gkehub.admin |
Full access to Fleet resources. |
Fleet Admin (formerly GKE Hub Admin) |
['gkehub.features.create', 'gkehub.features.delete', 'gkehub.features.get', 'gkehub.features.getIamPolicy', 'gkehub.features.list', 'gkehub.features.setIamPolicy', 'gkehub.features.update', 'gkehub.fleet.create', 'gkehub.fleet.createFreeTrial', 'gkehub.fleet.delete', 'gkehub.fleet.get', 'gkehub.fleet.getFreeTrial', 'gkehub.fleet.update', 'gkehub.fleet.updateFreeTrial', 'gkehub.locations.get', 'gkehub.locations.list', 'gkehub.membershipbindings.create', 'gkehub.membershipbindings.delete', 'gkehub.membershipbindings.get', 'gkehub.membershipbindings.list', 'gkehub.membershipbindings.update', 'gkehub.memberships.create', 'gkehub.memberships.delete', 'gkehub.memberships.generateConnectManifest', 'gkehub.memberships.get', 'gkehub.memberships.getIamPolicy', 'gkehub.memberships.list', 'gkehub.memberships.setIamPolicy', 'gkehub.memberships.update', 'gkehub.namespaces.create', 'gkehub.namespaces.delete', 'gkehub.namespaces.get', 'gkehub.namespaces.list', 'gkehub.namespaces.update', 'gkehub.operations.cancel', 'gkehub.operations.delete', 'gkehub.operations.get', 'gkehub.operations.list', 'gkehub.rbacrolebindings.create', 'gkehub.rbacrolebindings.delete', 'gkehub.rbacrolebindings.get', 'gkehub.rbacrolebindings.list', 'gkehub.rbacrolebindings.update', 'gkehub.scopes.create', 'gkehub.scopes.delete', 'gkehub.scopes.get', 'gkehub.scopes.getIamPolicy', 'gkehub.scopes.list', 'gkehub.scopes.listBoundMemberships', 'gkehub.scopes.setIamPolicy', 'gkehub.scopes.update', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/gkehub.gatewayEditor |
Edit access to Connect Gateway. |
Connect Gateway Editor |
['gkehub.gateway.delete', 'gkehub.gateway.generateCredentials', 'gkehub.gateway.get', 'gkehub.gateway.patch', 'gkehub.gateway.post', 'gkehub.gateway.put', 'gkehub.memberships.get', 'serviceusage.services.get'] |
|
GA |
| roles/gkehub.scopeViewer |
Viewer of Fleet Scopes and associated resources. |
Fleet Scope Viewer |
['gkehub.namespaces.get', 'gkehub.namespaces.list', 'gkehub.rbacrolebindings.get', 'gkehub.rbacrolebindings.list', 'gkehub.scopes.get', 'gkehub.scopes.getIamPolicy', 'gkehub.scopes.listBoundMemberships'] |
|
GA |
| roles/gkehub.viewer |
Read-only access to Fleets and related resources. |
Fleet Viewer (formerly GKE Hub Viewer) |
['gkehub.features.get', 'gkehub.features.getIamPolicy', 'gkehub.features.list', 'gkehub.fleet.get', 'gkehub.fleet.getFreeTrial', 'gkehub.locations.get', 'gkehub.locations.list', 'gkehub.membershipbindings.get', 'gkehub.membershipbindings.list', 'gkehub.memberships.generateConnectManifest', 'gkehub.memberships.get', 'gkehub.memberships.getIamPolicy', 'gkehub.memberships.list', 'gkehub.namespaces.get', 'gkehub.namespaces.list', 'gkehub.operations.get', 'gkehub.operations.list', 'gkehub.rbacrolebindings.get', 'gkehub.rbacrolebindings.list', 'gkehub.scopes.get', 'gkehub.scopes.list', 'gkehub.scopes.listBoundMemberships', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/gkehub.serviceAgent |
Gives the GKE Hub service agent access to Cloud Platform resources. |
GKE Hub Service Agent |
['container.clusterRoleBindings.create', 'container.clusterRoleBindings.delete', 'container.clusterRoleBindings.get', 'container.clusterRoleBindings.list', 'container.clusterRoleBindings.update', 'container.clusterRoles.bind', 'container.clusterRoles.create', 'container.clusterRoles.delete', 'container.clusterRoles.escalate', 'container.clusterRoles.get', 'container.clusterRoles.list', 'container.clusterRoles.update', 'container.clusters.connect', 'container.clusters.get', 'container.clusters.list', 'container.clusters.update', 'container.customResourceDefinitions.create', 'container.customResourceDefinitions.delete', 'container.customResourceDefinitions.get', 'container.customResourceDefinitions.list', 'container.customResourceDefinitions.update', 'container.namespaces.get', 'container.operations.get', 'container.thirdPartyObjects.create', 'container.thirdPartyObjects.delete', 'container.thirdPartyObjects.get', 'container.thirdPartyObjects.list', 'container.thirdPartyObjects.update', 'gkehub.features.create', 'gkehub.features.get', 'gkehub.features.list', 'gkehub.fleet.create', 'gkehub.fleet.get', 'gkehub.gateway.delete', 'gkehub.gateway.generateCredentials', 'gkehub.gateway.get', 'gkehub.gateway.patch', 'gkehub.gateway.post', 'gkehub.gateway.put', 'gkehub.locations.get', 'gkehub.locations.list', 'gkehub.memberships.create', 'gkehub.memberships.generateConnectManifest', 'gkehub.memberships.get', 'gkehub.memberships.list', 'gkehub.operations.get', 'gkemulticloud.awsClusters.get', 'gkemulticloud.azureClusters.get', 'gkeonprem.bareMetalClusters.get', 'gkeonprem.vmwareClusters.get', 'logging.buckets.create', 'logging.buckets.get', 'logging.buckets.list', 'logging.buckets.update', 'logging.exclusions.create', 'logging.exclusions.delete', 'logging.exclusions.get', 'logging.exclusions.list', 'logging.exclusions.update', 'logging.sinks.create', 'logging.sinks.delete', 'logging.sinks.get', 'logging.sinks.list', 'logging.sinks.update', 'logging.views.create', 'logging.views.get', 'logging.views.list', 'logging.views.update', 'monitoring.metricsScopes.link', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'serviceusage.services.get', 'serviceusage.services.list'] |
|
GA |
| roles/gkehub.scopeEditor |
Edit access to Namespaces under Fleet Scopes. |
Fleet Scope Editor |
['gkehub.namespaces.create', 'gkehub.namespaces.delete', 'gkehub.namespaces.get', 'gkehub.namespaces.list', 'gkehub.rbacrolebindings.get', 'gkehub.rbacrolebindings.list', 'gkehub.scopes.get', 'gkehub.scopes.getIamPolicy', 'gkehub.scopes.listBoundMemberships'] |
|
GA |
| roles/gkehub.editor |
Edit access to Fleet resources. |
Fleet Editor (formerly GKE Hub Editor) |
['gkehub.features.create', 'gkehub.features.delete', 'gkehub.features.get', 'gkehub.features.getIamPolicy', 'gkehub.features.list', 'gkehub.features.update', 'gkehub.fleet.create', 'gkehub.fleet.createFreeTrial', 'gkehub.fleet.delete', 'gkehub.fleet.get', 'gkehub.fleet.getFreeTrial', 'gkehub.fleet.update', 'gkehub.fleet.updateFreeTrial', 'gkehub.locations.get', 'gkehub.locations.list', 'gkehub.membershipbindings.create', 'gkehub.membershipbindings.delete', 'gkehub.membershipbindings.get', 'gkehub.membershipbindings.list', 'gkehub.membershipbindings.update', 'gkehub.memberships.create', 'gkehub.memberships.delete', 'gkehub.memberships.generateConnectManifest', 'gkehub.memberships.get', 'gkehub.memberships.getIamPolicy', 'gkehub.memberships.list', 'gkehub.memberships.update', 'gkehub.namespaces.create', 'gkehub.namespaces.delete', 'gkehub.namespaces.get', 'gkehub.namespaces.list', 'gkehub.namespaces.update', 'gkehub.operations.cancel', 'gkehub.operations.delete', 'gkehub.operations.get', 'gkehub.operations.list', 'gkehub.rbacrolebindings.create', 'gkehub.rbacrolebindings.delete', 'gkehub.rbacrolebindings.get', 'gkehub.rbacrolebindings.list', 'gkehub.rbacrolebindings.update', 'gkehub.scopes.create', 'gkehub.scopes.delete', 'gkehub.scopes.get', 'gkehub.scopes.getIamPolicy', 'gkehub.scopes.list', 'gkehub.scopes.listBoundMemberships', 'gkehub.scopes.update', 'resourcemanager.projects.get', 'resourcemanager.projects.list'] |
|
GA |
| roles/gkehub.scopeAdmin |
Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings. |
Fleet Scope Admin |
['gkehub.namespaces.create', 'gkehub.namespaces.delete', 'gkehub.namespaces.get', 'gkehub.namespaces.list', 'gkehub.rbacrolebindings.create', 'gkehub.rbacrolebindings.delete', 'gkehub.rbacrolebindings.get', 'gkehub.rbacrolebindings.list', 'gkehub.rbacrolebindings.update', 'gkehub.scopes.get', 'gkehub.scopes.getIamPolicy', 'gkehub.scopes.listBoundMemberships', 'gkehub.scopes.setIamPolicy'] |
|
GA |
| roles/gkehub.scopeViewerProjectLevel |
Role for project-level permissions for viewer of Fleet Scopes. |
Fleet Project-level Scope Viewer |
['gkehub.gateway.generateCredentials', 'gkehub.gateway.get', 'gkehub.memberships.get', 'monitoring.timeSeries.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'serviceusage.services.get'] |
|
GA |
| roles/gkehub.gatewayReader |
Read-only access to Connect Gateway. |
Connect Gateway Reader |
['gkehub.gateway.generateCredentials', 'gkehub.gateway.get', 'gkehub.memberships.get', 'serviceusage.services.get'] |
|
GA |
| roles/gkehub.connect |
Ability to set up GKE Connect between external clusters and Google. |
GKE Connect Agent |
['gkehub.endpoints.connect'] |
|
GA |
| roles/gkehub.scopeEditorProjectLevel |
Role for project-level permissions for editor of Fleet Scopes. |
Fleet Project-level Scope Editor |
['gkehub.gateway.delete', 'gkehub.gateway.generateCredentials', 'gkehub.gateway.get', 'gkehub.gateway.patch', 'gkehub.gateway.post', 'gkehub.gateway.put', 'gkehub.memberships.get', 'gkehub.operations.get', 'monitoring.timeSeries.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'serviceusage.services.get'] |
|
GA |