Name |
Binding type |
Org admin cluster permissions |
User cluster permissions |
Escalates to |
Project IAM Admin |
RoleBinding |
RoleBinding , ClusterRoleBinding , Role , ClusterRole , ProjectRole , ProjectClusterRole , ProjectRoleBinding , and ProjectClusterRoleBinding : Create, read, update, delete, and bind
ProjectServiceAccount : Create, read, update, and delete
- List project namespace
|
N/A |
All other AO roles |
AI OCR Developer |
RoleBinding |
OCR resources: Read and write |
N/A |
N/A |
AI Speech Developer |
RoleBinding |
Speech resources: Read and write |
N/A |
N/A |
AI Translation Developer |
RoleBinding |
Translation resources: Read and write |
N/A |
N/A |
Backup Creator |
ProjectRoleBinding |
N/A |
- Manual backups and restores: Create, read, and delete
- Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read
|
N/A |
Dashboard Editor |
RoleBinding |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A |
N/A |
Dashboard Viewer |
RoleBinding |
Dashboard : Get and read |
N/A |
N/A |
KMS Admin |
RoleBinding |
AEADKey : Create, read, update, delete, patch, encrypt, and decrypt
SigningKey : Create, read, update, delete, patch, and sign
KeyImport and KeyExport : Read
|
N/A |
N/A |
KMS Creator |
RoleBinding |
AEADKey and SigningKey : Create and read
|
N/A |
N/A |
KMS Developer |
RoleBinding |
AEADKey in the project namespace: Read, encrypt, and decrypt
SigningKey in the project namespace: Read and sign
|
N/A |
N/A |
KMS Key Export Admin |
RoleBinding |
KeyExport resource: Create, read, update, patch, and delete
|
N/A |
N/A |
KMS Key Import Admin |
RoleBinding |
KeyImport resource: Create, read, update, patch, and delete
|
N/A |
N/A |
KMS Viewer |
RoleBinding |
AEADKey , SigningKey , KeyImport , KeyExport : Read
|
N/A |
N/A |
Kubernetes Network Policy Admin |
ProjectRoleBinding |
N/A |
Kubernetes network policies: Read and write in the user cluster |
N/A |
Marketplace Editor |
RoleBinding |
N/A |
Service instances: Create, update, and delete |
N/A |
MonitoringRule Editor |
RoleBinding |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
MonitoringRule Viewer |
RoleBinding |
MonitoringRule custom resources: Read |
N/A |
N/A |
MonitoringTarget Editor |
RoleBinding |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
MonitoringTarget Viewer |
RoleBinding |
MonitoringTarget custom resources: Read |
N/A |
N/A |
Namespace Admin |
ProjectRoleBinding |
N/A |
All resources: Read and write access in the project namespace, excluding the system cluster |
N/A |
ObservabilityPipeline Editor |
RoleBinding |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A |
N/A |
ObservabilityPipeline Viewer |
RoleBinding |
ObservabilityPipeline resources: Get and read |
N/A |
N/A |
Project Bucket Admin |
RoleBinding |
Bucket: Read and write in the project namespace |
N/A |
N/A |
Project Bucket Object Admin |
RoleBinding |
- Bucket: Read
- Objects: Read and write
|
N/A |
N/A |
Project Bucket Object Viewer |
RoleBinding |
Bucket and objects: Read |
N/A |
N/A |
Project Network Policy Admin |
RoleBinding |
Project network policies: Read and write in the project namespace |
N/A |
N/A |
Project DB Admin |
RoleBinding |
- Database versions, flags, maintenance policies, software libraries, and database project properties: Read
- Backup plans and database clusters: Create, read, update, and delete
- Imports, exports, and restores: Create, read, and delete
- Secrets: Create, delete, and update
- Migrations and external servers: Create, read, update, delete, and patch
|
N/A |
N/A |
Project DB Editor |
RoleBinding |
- Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read
- Imports: Create, read, and delete
- Database clusters: Read and update
- Secrets: Create and delete
|
N/A |
N/A |
Project DB Viewer |
RoleBinding |
Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read |
N/A |
N/A |
Project Viewer |
RoleBinding |
All resources in the project namespace: Read |
N/A |
N/A |
Project VirtualMachine Admin |
RoleBinding |
- Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
- Virtual machine restart: Put
- Virtual machine images, backup plans, and backup plan templates: Read
|
N/A |
N/A |
Project VirtualMachine Image Admin |
RoleBinding |
- VM images: Read
- VM image imports: Read and write
|
N/A |
N/A |
Secret Admin |
RoleBinding |
Kubernetes secrets: Read, create, update, delete, and patch
|
N/A |
N/A |
Secret Viewer |
RoleBinding |
Kubernetes secrets: Read
|
N/A |
N/A |
Service Configuration Admin |
RoleBinding |
ServiceConfigurations : Read and write
|
N/A |
N/A |
Service Configuration Viewer |
RoleBinding |
ServiceConfigurations : Read
|
N/A |
N/A |
Workbench Notebooks Admin |
RoleBinding |
N/A |
- Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
ClusterInfo objects: Read
|
N/A |
Workbench Notebooks Viewer |
RoleBinding |
N/A |
- Notebook custom resources (CR) in the project namespace: Read
|
N/A |