Stay organized with collections Save and categorize content based on your preferences.
Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (users) has what access (roles) to which resources by setting allow policies. Allow policies grant specific roles to a user giving the user certain permissions.
This page explains the IAM permissions and roles you can use to manage access to projects. For more information, see Manage access to projects, folders, and organizations.
Note: You can also use deny policies to prevent principals from using specific IAM permissions. For more information, see Deny policies. Note: If you're getting started with Google Cloud, you can set up your resource hierarchy and grant initial access as part of the Google Cloud setup process. Permissions and rolesTo control access to resources, Google Cloud requires that accounts making API requests have appropriate IAM roles. IAM roles include permissions that allow users to perform specific actions on Google Cloud resources. For example, the resourcemanager.projects.delete permission allows a user to delete a project.
You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them. You grant these roles on a particular resource, but they also apply to all of that resource's descendants in the resource hierarchy.
PermissionsTo manage projects, the caller must have a role that includes the following permissions. The role is granted on the organization resource or folder that contains the projects:
Using predefined rolesIAM predefined roles allow you to carefully manage the set of permissions that your users have access to. For a full list of the roles that can be granted at the project level, see Understanding Roles.
The following table lists the predefined roles that you can use to grant access to a project. Each role includes a description of what the role does, and the permissions included in that role.
Role Permissions Project Creator(roles/resourcemanager.projectCreator)
Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.
Lowest-level resources where you can grant this role:
resourcemanager.organizations.get
resourcemanager.projects.create
(roles/resourcemanager.projectDeleter)
Provides access to delete Google Cloud projects.
Lowest-level resources where you can grant this role:
resourcemanager.projects.delete
(roles/resourcemanager.projectMover)
Provides access to update and move projects.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.projects.update
(roles/resourcemanager.projectIamAdmin)
Provides permissions to administer allow policies on projects.
Lowest-level resources where you can grant this role:
iam.policybindings.*
iam.policybindings.getiam.policybindings.listresourcemanager.projects.createPolicyBinding
resourcemanager.projects.deletePolicyBinding
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.searchPolicyBindings
resourcemanager.projects.setIamPolicy
resourcemanager.projects.updatePolicyBinding
(roles/browser)
Read access to browse the hierarchy for a project, including the folder, organization, and allow policy. This role doesn't include permission to view resources in the project.
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Avoid using basic roles except when absolutely necessary. These roles are very powerful, and include a large number of permissions across all Google Cloud services. For more details on when you should use basic roles, see Basic roles.
Role Description Permissionsroles/owner Full access to all resources. All permissions for all resources. roles/editor Edit access to most resources. Create and update access for most resources. roles/viewer Read access to most resources. Get and list access for most resources. Creating custom roles
In addition to the predefined roles described in this topic, you can also create
custom rolesthat are collections of permissions that you tailor to your needs. When creating a custom role for use with Resource Manager, be aware of the following points:
resourcemanager.projects.get/list, should always be granted as a pair.folders.list and folders.get permissions, it should also include projects.list and projects.get.setIamPolicy permission for organization, folder, and project resources allows the user to grant all other permissions, and so should be assigned with care.You can grant roles to users at the project level using the Google Cloud console, the Cloud Resource Manager API, and the Google Cloud CLI. For instructions, see Granting, Changing, and Revoking Access.
Default rolesWhen you create a project, you are granted the roles/owner role for the project to provide you full control as the creator. This default role can be changed as normal in an allow policy.
VPC Service ControlsVPC Service Controls can provide additional security when using the Cloud Resource Manager API. To learn more about VPC Service Controls, see the VPC Service Controls overview.
To learn about the current limitations in using Resource Manager with VPC Service Controls, see the supported products and limitations page.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-03 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-03 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5