The following subsections list the Google identify and access management (IAM) permissions, granted via Compute Engine access shortcuts.
Use this information when requesting Google Cloud Access permissions.
Read
Read grants the following IAM permissions for the instance or zone:
compute.instances.get
compute.instances.list
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
Write
Write grants the following IAM permissions for the instance or zone:
compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly
Admin
Admin grants the compute.instanceAdmin
predefined role for the instance or zone.
Create
Create grants the compute.instanceAdmin
predefined role for both the instance / zone and the region.
SSH
SSH grants the following IAM permissions for the specified instance or zone:
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instances.get
compute.instances.listEffectiveTags
compute.instances.setMetadata
compute.instances.listTagBindings
compute.instances.osLogin
compute.projects.get
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
Grants iam.serviceAccountUser
on the service account specified