GCPSecuritybeginner
GCP IAM Role Finder
Search and browse GCP predefined IAM roles by permission or service.
CloudToolStack Team5 min readPublished Feb 22, 2026
Prerequisites
Search GCP IAM Roles
Matching Roles
28 roles foundOwner
BasicGAroles/owner
Full access to all resources. Can manage roles and permissions, and set up billing for a project.
Editor
BasicGAroles/editor
View and edit access to all resources. Cannot manage roles and permissions.
Viewer
BasicGAroles/viewer
Read-only access to all resources. Cannot make any changes.
IAM Admin
IAMGAroles/iam.admin
Full access to manage IAM policies, roles, and service accounts.
Service Account Admin
IAMGAroles/iam.serviceAccountAdmin
Create and manage service accounts, keys, and IAM policies on service accounts.
Compute Admin
Compute EngineGAroles/compute.admin
Full control of all Compute Engine resources including instances, disks, networks, and firewalls.
Compute Viewer
Compute EngineGAroles/compute.viewer
Read-only access to Compute Engine resources. Cannot start, stop, or modify instances.
Storage Admin
Cloud StorageGAroles/storage.admin
Full control of Cloud Storage buckets and objects, including setting IAM policies.
Storage Object Viewer
Cloud StorageGAroles/storage.objectViewer
Read-only access to Cloud Storage objects. Can view objects and their metadata.
Storage Object Creator
Cloud StorageGAroles/storage.objectCreator
Allows users to create objects in Cloud Storage buckets. Does not grant read or delete access.
BigQuery Admin
BigQueryGAroles/bigquery.admin
Full access to BigQuery resources including datasets, tables, jobs, and data transfers.
BigQuery Data Viewer
BigQueryGAroles/bigquery.dataViewer
Read access to BigQuery datasets and table data. Cannot create or modify resources.
Cloud SQL Admin
Cloud SQLGAroles/cloudsql.admin
Full control of Cloud SQL instances, databases, users, and backups.
Kubernetes Engine Admin
Kubernetes EngineGAroles/container.admin
Full access to GKE clusters, node pools, and workloads.
Kubernetes Engine Cluster Viewer
Kubernetes EngineGAroles/container.clusterViewer
Read-only access to GKE clusters. Can view cluster configurations but not modify them.
Logging Admin
Cloud LoggingGAroles/logging.admin
Full control of Cloud Logging resources including log entries, sinks, metrics, and exclusions.
Logs Viewer
Cloud LoggingGAroles/logging.viewer
Read-only access to Cloud Logging log entries and log-based metrics.
Monitoring Admin
Cloud MonitoringGAroles/monitoring.admin
Full control of Cloud Monitoring resources including dashboards, alerting policies, and uptime checks.
Monitoring Viewer
Cloud MonitoringGAroles/monitoring.viewer
Read-only access to Cloud Monitoring data including time series, dashboards, and alert policies.
Cloud Functions Admin
Cloud FunctionsGAroles/cloudfunctions.admin
Full access to Cloud Functions, including creating, updating, deleting, and invoking functions.
Cloud Run Admin
Cloud RunGAroles/run.admin
Full access to Cloud Run services, revisions, jobs, and their IAM policies.
Pub/Sub Admin
Pub/SubGAroles/pubsub.admin
Full access to Pub/Sub topics, subscriptions, snapshots, and schemas.
Secret Manager Admin
Secret ManagerGAroles/secretmanager.admin
Full access to Secret Manager secrets, versions, and their IAM policies.
Secret Manager Secret Accessor
Secret ManagerGAroles/secretmanager.secretAccessor
Allows accessing the payload of secrets. Cannot create, update, or delete secrets.
DNS Administrator
Cloud DNSGAroles/dns.admin
Full access to Cloud DNS managed zones, record sets, and DNS policies.
Network Management Admin
Network ManagementGAroles/networkmanagement.admin
Full access to Network Intelligence Center resources, including connectivity tests.
Cloud Build Editor
Cloud BuildGAroles/cloudbuild.builds.editor
Can create and cancel builds, view build details, and manage build triggers.
Artifact Registry Administrator
Artifact RegistryGAroles/artifactregistry.admin
Full access to Artifact Registry repositories, packages, and their IAM policies.
Raw JSON
[
{
"name": "roles/owner",
"title": "Owner",
"description": "Full access to all resources. Can manage roles and permissions, and set up billing for a project.",
"service": "Basic",
"stage": "GA",
"permissions": [
"resourcemanager.projects.get",
"resourcemanager.projects.update",
"resourcemanager.projects.delete",
"resourcemanager.projects.setIamPolicy",
"resourcemanager.projects.getIamPolicy",
"billing.accounts.get"
]
},
{
"name": "roles/editor",
"title": "Editor",
"description": "View and edit access to all resources. Cannot manage roles and permissions.",
"service": "Basic",
"stage": "GA",
"permissions": [
"resourcemanager.projects.get",
"resourcemanager.projects.update",
"serviceusage.services.use",
"serviceusage.services.list"
]
},
{
"name": "roles/viewer",
"title": "Viewer",
"description": "Read-only access to all resources. Cannot make any changes.",
"service": "Basic",
"stage": "GA",
"permissions": [
"resourcemanager.projects.get",
"serviceusage.services.list",
"monitoring.timeSeries.list"
]
},
{
"name": "roles/iam.admin",
"title": "IAM Admin",
"description": "Full access to manage IAM policies, roles, and service accounts.",
"service": "IAM",
"stage": "GA",
"permissions": [
"iam.roles.create",
"iam.roles.delete",
"iam.roles.get",
"iam.roles.list",
"iam.roles.update",
"iam.serviceAccounts.create",
"iam.serviceAccounts.delete",
"iam.serviceAccounts.get",
"iam.serviceAccounts.list",
"iam.serviceAccounts.update",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.setIamPolicy"
]
},
{
"name": "roles/iam.serviceAccountAdmin",
"title": "Service Account Admin",
"description": "Create and manage service accounts, keys, and IAM policies on service accounts.",
"service": "IAM",
"stage": "GA",
"permissions": [
"iam.serviceAccounts.create",
"iam.serviceAccounts.delete",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getIamPolicy",
"iam.serviceAccounts.list",
"iam.serviceAccounts.setIamPolicy",
"iam.serviceAccounts.update",
"iam.serviceAccountKeys.create",
"iam.serviceAccountKeys.delete",
"iam.serviceAccountKeys.get",
"iam.serviceAccountKeys.list"
]
},
{
"name": "roles/compute.admin",
"title": "Compute Admin",
"description": "Full control of all Compute Engine resources including instances, disks, networks, and firewalls.",
"service": "Compute Engine",
"stage": "GA",
"permissions": [
"compute.instances.create",
"compute.instances.delete",
"compute.instances.get",
"compute.instances.list",
"compute.instances.start",
"compute.instances.stop",
"compute.instances.setMachineType",
"compute.disks.create",
"compute.disks.delete",
"compute.networks.create",
"compute.firewalls.create",
"compute.firewalls.delete"
]
},
{
"name": "roles/compute.viewer",
"title": "Compute Viewer",
"description": "Read-only access to Compute Engine resources. Cannot start, stop, or modify instances.",
"service": "Compute Engine",
"stage": "GA",
"permissions": [
"compute.instances.get",
"compute.instances.list",
"compute.disks.get",
"compute.disks.list",
"compute.networks.get",
"compute.networks.list",
"compute.firewalls.get",
"compute.firewalls.list",
"compute.zones.get",
"compute.zones.list"
]
},
{
"name": "roles/storage.admin",
"title": "Storage Admin",
"description": "Full control of Cloud Storage buckets and objects, including setting IAM policies.",
"service": "Cloud Storage",
"stage": "GA",
"permissions": [
"storage.buckets.create",
"storage.buckets.delete",
"storage.buckets.get",
"storage.buckets.list",
"storage.buckets.update",
"storage.buckets.setIamPolicy",
"storage.buckets.getIamPolicy",
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.list",
"storage.objects.update"
]
},
{
"name": "roles/storage.objectViewer",
"title": "Storage Object Viewer",
"description": "Read-only access to Cloud Storage objects. Can view objects and their metadata.",
"service": "Cloud Storage",
"stage": "GA",
"permissions": [
"storage.objects.get",
"storage.objects.list"
]
},
{
"name": "roles/storage.objectCreator",
"title": "Storage Object Creator",
"description": "Allows users to create objects in Cloud Storage buckets. Does not grant read or delete access.",
"service": "Cloud Storage",
"stage": "GA",
"permissions": [
"storage.objects.create"
]
},
{
"name": "roles/bigquery.admin",
"title": "BigQuery Admin",
"description": "Full access to BigQuery resources including datasets, tables, jobs, and data transfers.",
"service": "BigQuery",
"stage": "GA",
"permissions": [
"bigquery.datasets.create",
"bigquery.datasets.delete",
"bigquery.datasets.get",
"bigquery.datasets.update",
"bigquery.tables.create",
"bigquery.tables.delete",
"bigquery.tables.get",
"bigquery.tables.getData",
"bigquery.tables.list",
"bigquery.tables.update",
"bigquery.jobs.create",
"bigquery.jobs.list"
]
},
{
"name": "roles/bigquery.dataViewer",
"title": "BigQuery Data Viewer",
"description": "Read access to BigQuery datasets and table data. Cannot create or modify resources.",
"service": "BigQuery",
"stage": "GA",
"permissions": [
"bigquery.datasets.get",
"bigquery.tables.get",
"bigquery.tables.getData",
"bigquery.tables.list"
]
},
{
"name": "roles/cloudsql.admin",
"title": "Cloud SQL Admin",
"description": "Full control of Cloud SQL instances, databases, users, and backups.",
"service": "Cloud SQL",
"stage": "GA",
"permissions": [
"cloudsql.instances.create",
"cloudsql.instances.delete",
"cloudsql.instances.get",
"cloudsql.instances.list",
"cloudsql.instances.update",
"cloudsql.instances.restart",
"cloudsql.databases.create",
"cloudsql.databases.delete",
"cloudsql.databases.get",
"cloudsql.databases.list",
"cloudsql.backupRuns.create",
"cloudsql.backupRuns.get",
"cloudsql.backupRuns.list"
]
},
{
"name": "roles/container.admin",
"title": "Kubernetes Engine Admin",
"description": "Full access to GKE clusters, node pools, and workloads.",
"service": "Kubernetes Engine",
"stage": "GA",
"permissions": [
"container.clusters.create",
"container.clusters.delete",
"container.clusters.get",
"container.clusters.list",
"container.clusters.update",
"container.nodes.get",
"container.nodes.list",
"container.pods.get",
"container.pods.list",
"container.services.get",
"container.services.list",
"container.operations.get",
"container.operations.list"
]
},
{
"name": "roles/container.clusterViewer",
"title": "Kubernetes Engine Cluster Viewer",
"description": "Read-only access to GKE clusters. Can view cluster configurations but not modify them.",
"service": "Kubernetes Engine",
"stage": "GA",
"permissions": [
"container.clusters.get",
"container.clusters.list"
]
},
{
"name": "roles/logging.admin",
"title": "Logging Admin",
"description": "Full control of Cloud Logging resources including log entries, sinks, metrics, and exclusions.",
"service": "Cloud Logging",
"stage": "GA",
"permissions": [
"logging.logEntries.list",
"logging.logEntries.create",
"logging.logs.list",
"logging.logs.delete",
"logging.sinks.create",
"logging.sinks.delete",
"logging.sinks.get",
"logging.sinks.list",
"logging.sinks.update",
"logging.logMetrics.create",
"logging.logMetrics.delete",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logMetrics.update"
]
},
{
"name": "roles/logging.viewer",
"title": "Logs Viewer",
"description": "Read-only access to Cloud Logging log entries and log-based metrics.",
"service": "Cloud Logging",
"stage": "GA",
"permissions": [
"logging.logEntries.list",
"logging.logs.list",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logServiceIndexes.list",
"logging.logServices.list"
]
},
{
"name": "roles/monitoring.admin",
"title": "Monitoring Admin",
"description": "Full control of Cloud Monitoring resources including dashboards, alerting policies, and uptime checks.",
"service": "Cloud Monitoring",
"stage": "GA",
"permissions": [
"monitoring.alertPolicies.create",
"monitoring.alertPolicies.delete",
"monitoring.alertPolicies.get",
"monitoring.alertPolicies.list",
"monitoring.alertPolicies.update",
"monitoring.dashboards.create",
"monitoring.dashboards.delete",
"monitoring.dashboards.get",
"monitoring.dashboards.list",
"monitoring.dashboards.update",
"monitoring.timeSeries.create",
"monitoring.timeSeries.list",
"monitoring.uptimeCheckConfigs.create",
"monitoring.uptimeCheckConfigs.delete",
"monitoring.uptimeCheckConfigs.get",
"monitoring.uptimeCheckConfigs.list"
]
},
{
"name": "roles/monitoring.viewer",
"title": "Monitoring Viewer",
"description": "Read-only access to Cloud Monitoring data including time series, dashboards, and alert policies.",
"service": "Cloud Monitoring",
"stage": "GA",
"permissions": [
"monitoring.alertPolicies.get",
"monitoring.alertPolicies.list",
"monitoring.dashboards.get",
"monitoring.dashboards.list",
"monitoring.timeSeries.list",
"monitoring.uptimeCheckConfigs.get",
"monitoring.uptimeCheckConfigs.list"
]
},
{
"name": "roles/cloudfunctions.admin",
"title": "Cloud Functions Admin",
"description": "Full access to Cloud Functions, including creating, updating, deleting, and invoking functions.",
"service": "Cloud Functions",
"stage": "GA",
"permissions": [
"cloudfunctions.functions.create",
"cloudfunctions.functions.delete",
"cloudfunctions.functions.get",
"cloudfunctions.functions.list",
"cloudfunctions.functions.update",
"cloudfunctions.functions.call",
"cloudfunctions.functions.getIamPolicy",
"cloudfunctions.functions.setIamPolicy",
"cloudfunctions.locations.list",
"cloudfunctions.operations.get",
"cloudfunctions.operations.list"
]
},
{
"name": "roles/run.admin",
"title": "Cloud Run Admin",
"description": "Full access to Cloud Run services, revisions, jobs, and their IAM policies.",
"service": "Cloud Run",
"stage": "GA",
"permissions": [
"run.services.create",
"run.services.delete",
"run.services.get",
"run.services.list",
"run.services.update",
"run.services.getIamPolicy",
"run.services.setIamPolicy",
"run.revisions.get",
"run.revisions.list",
"run.revisions.delete",
"run.jobs.create",
"run.jobs.delete",
"run.jobs.get",
"run.jobs.list",
"run.jobs.run"
]
},
{
"name": "roles/pubsub.admin",
"title": "Pub/Sub Admin",
"description": "Full access to Pub/Sub topics, subscriptions, snapshots, and schemas.",
"service": "Pub/Sub",
"stage": "GA",
"permissions": [
"pubsub.topics.create",
"pubsub.topics.delete",
"pubsub.topics.get",
"pubsub.topics.list",
"pubsub.topics.publish",
"pubsub.topics.update",
"pubsub.topics.getIamPolicy",
"pubsub.topics.setIamPolicy",
"pubsub.subscriptions.create",
"pubsub.subscriptions.delete",
"pubsub.subscriptions.get",
"pubsub.subscriptions.list",
"pubsub.subscriptions.consume",
"pubsub.subscriptions.update"
]
},
{
"name": "roles/secretmanager.admin",
"title": "Secret Manager Admin",
"description": "Full access to Secret Manager secrets, versions, and their IAM policies.",
"service": "Secret Manager",
"stage": "GA",
"permissions": [
"secretmanager.secrets.create",
"secretmanager.secrets.delete",
"secretmanager.secrets.get",
"secretmanager.secrets.list",
"secretmanager.secrets.update",
"secretmanager.secrets.getIamPolicy",
"secretmanager.secrets.setIamPolicy",
"secretmanager.versions.add",
"secretmanager.versions.destroy",
"secretmanager.versions.enable",
"secretmanager.versions.disable",
"secretmanager.versions.get",
"secretmanager.versions.list",
"secretmanager.versions.access"
]
},
{
"name": "roles/secretmanager.secretAccessor",
"title": "Secret Manager Secret Accessor",
"description": "Allows accessing the payload of secrets. Cannot create, update, or delete secrets.",
"service": "Secret Manager",
"stage": "GA",
"permissions": [
"secretmanager.versions.access",
"resourcemanager.projects.get"
]
},
{
"name": "roles/dns.admin",
"title": "DNS Administrator",
"description": "Full access to Cloud DNS managed zones, record sets, and DNS policies.",
"service": "Cloud DNS",
"stage": "GA",
"permissions": [
"dns.managedZones.create",
"dns.managedZones.delete",
"dns.managedZones.get",
"dns.managedZones.list",
"dns.managedZones.update",
"dns.resourceRecordSets.create",
"dns.resourceRecordSets.delete",
"dns.resourceRecordSets.get",
"dns.resourceRecordSets.list",
"dns.resourceRecordSets.update",
"dns.policies.create",
"dns.policies.delete",
"dns.policies.get",
"dns.policies.list",
"dns.policies.update"
]
},
{
"name": "roles/networkmanagement.admin",
"title": "Network Management Admin",
"description": "Full access to Network Intelligence Center resources, including connectivity tests.",
"service": "Network Management",
"stage": "GA",
"permissions": [
"networkmanagement.connectivitytests.create",
"networkmanagement.connectivitytests.delete",
"networkmanagement.connectivitytests.get",
"networkmanagement.connectivitytests.list",
"networkmanagement.connectivitytests.update",
"networkmanagement.connectivitytests.rerun",
"networkmanagement.connectivitytests.getIamPolicy",
"networkmanagement.connectivitytests.setIamPolicy"
]
},
{
"name": "roles/cloudbuild.builds.editor",
"title": "Cloud Build Editor",
"description": "Can create and cancel builds, view build details, and manage build triggers.",
"service": "Cloud Build",
"stage": "GA",
"permissions": [
"cloudbuild.builds.create",
"cloudbuild.builds.get",
"cloudbuild.builds.list",
"cloudbuild.builds.update",
"cloudbuild.triggers.create",
"cloudbuild.triggers.delete",
"cloudbuild.triggers.get",
"cloudbuild.triggers.list",
"cloudbuild.triggers.run",
"cloudbuild.triggers.update",
"cloudbuild.workerpools.get",
"cloudbuild.workerpools.list"
]
},
{
"name": "roles/artifactregistry.admin",
"title": "Artifact Registry Administrator",
"description": "Full access to Artifact Registry repositories, packages, and their IAM policies.",
"service": "Artifact Registry",
"stage": "GA",
"permissions": [
"artifactregistry.repositories.create",
"artifactregistry.repositories.delete",
"artifactregistry.repositories.get",
"artifactregistry.repositories.list",
"artifactregistry.repositories.update",
"artifactregistry.repositories.getIamPolicy",
"artifactregistry.repositories.setIamPolicy",
"artifactregistry.packages.delete",
"artifactregistry.packages.get",
"artifactregistry.packages.list",
"artifactregistry.versions.delete",
"artifactregistry.versions.get",
"artifactregistry.versions.list",
"artifactregistry.tags.create",
"artifactregistry.tags.delete",
"artifactregistry.tags.get",
"artifactregistry.tags.list",
"artifactregistry.tags.update"
]
}
]Key Takeaways
- 1GCP has three role types: basic (primitive), predefined, and custom.
- 2Predefined roles are the recommended choice for most production workloads.
- 3Always prefer the most specific predefined role over basic roles like Editor.
- 4Custom roles let you pick exact permissions when predefined roles are too broad.
- 5Use IAM Recommender to identify and remove unused permissions from bindings.
Frequently Asked Questions
How many predefined IAM roles does GCP have?
GCP offers over 1,000 predefined IAM roles across its services. Each role bundles a set of permissions appropriate for a specific job function, such as roles/storage.objectViewer or roles/compute.instanceAdmin.
What is the difference between roles/editor and a predefined role?
roles/editor is a basic (primitive) role granting write access to almost every GCP service. Predefined roles grant access to specific services only. Always use predefined roles in production to follow least privilege.
Can I see which permissions a role includes?
Yes. Use 'gcloud iam roles describe ROLE_NAME' or the IAM section in the GCP Console to see all permissions included in any role. The GCP IAM Role Finder tool on this site also lets you search roles by permission.
How do I find which role grants a specific permission?
Use 'gcloud iam roles list --filter=includedPermissions:PERMISSION_NAME' or use the GCP IAM Role Finder on this site to search by permission name and discover which predefined roles include it.
When should I create a custom IAM role?
Create custom roles when predefined roles grant more permissions than needed and you want tighter least-privilege access. Note that custom roles require manual maintenance when GCP adds new permissions to services.
Written by CloudToolStack Team
Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.
Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.