Service Networking roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Service Networking. To search through all roles and permissions, see the role and permission index.

Service Networking roles

Role Permissions

Service Networking Admin ^Beta

(roles/servicenetworking.networksAdmin)

Full control of service networking with projects.

servicenetworking.*

servicenetworking.operations.cancel
servicenetworking.operations.delete
servicenetworking.operations.get
servicenetworking.operations.list
servicenetworking.services.addDnsRecordSet
servicenetworking.services.addDnsZone
servicenetworking.services.addPeering
servicenetworking.services.addSubnetwork
servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deleteConnection
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.disableVpcServiceControls
servicenetworking.services.enableVpcServiceControls
servicenetworking.services.get
servicenetworking.services.getConsumerConfig
servicenetworking.services.listPeeredDnsDomains
servicenetworking.services.removeDnsRecordSet
servicenetworking.services.removeDnsZone
servicenetworking.services.updateConsumerConfig
servicenetworking.services.updateDnsRecordSet
servicenetworking.services.use

Service Networking Service Agent

(roles/servicenetworking.serviceAgent)

Gives permission to manage network configuration, such as establishing network peering, necessary for service producers

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalOperations.get

compute.networks.addPeering

compute.networks.create

compute.networks.delete

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.update

compute.networks.updatePeering

compute.networks.updatePolicy

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.routers.list

compute.routes.list

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.list

dns.changes.*

dns.changes.create
dns.changes.get
dns.changes.list

dns.dnsKeys.*

dns.dnsKeys.get
dns.dnsKeys.list

dns.gkeClusters.*

dns.gkeClusters.bindDNSResponsePolicy
dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

dns.managedZoneOperations.get
dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.networks.bindDNSResponsePolicy
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
dns.networks.useHealthSignals

dns.policies.*

dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.resourceRecordSets.update

dns.responsePolicies.*

dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update

dns.responsePolicyRules.*

dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update

networkconnectivity.internalRanges.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Networking permissions

Permission	Included in roles
`servicenetworking.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`servicenetworking.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.addDnsRecordSet`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.addDnsZone`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.addPeering`	Owner (`roles/owner`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`servicenetworking.services.addSubnetwork`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.createPeeredDnsDomain`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`servicenetworking.services.deleteConnection`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`servicenetworking.services.deletePeeredDnsDomain`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`servicenetworking.services.disableVpcServiceControls`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`servicenetworking.services.enableVpcServiceControls`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`servicenetworking.services.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`servicenetworking.services.getConsumerConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.listPeeredDnsDomains`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Service Networking Admin (`roles/servicenetworking.networksAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`servicenetworking.services.removeDnsRecordSet`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.removeDnsZone`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.updateConsumerConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.updateDnsRecordSet`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)
`servicenetworking.services.use`	Owner (`roles/owner`) Editor (`roles/editor`) Service Networking Admin (`roles/servicenetworking.networksAdmin`)

Service Networking roles and permissions
Stay organized with collections Save and categorize content based on your preferences.