Compute Engine

The following subsections list the Google identify and access management (IAM) permissions, granted via Compute Engine access shortcuts.

Use this information when requesting Google Cloud Access permissions.

Read

Read grants the following IAM permissions for the instance or zone:

          compute.instances.get
          compute.instances.list
          compute.instances.getEffectiveFirewalls
          compute.instances.getGuestAttributes
          compute.instances.getScreenshot
          compute.instances.getSerialPortOutput
          compute.instances.getShieldedInstanceIdentity
          compute.instances.getShieldedVmIdentity
          compute.instances.listEffectiveTags
          compute.instances.listReferrers
          compute.instances.listTagBindings

Write

Write grants the following IAM permissions for the instance or zone:

          compute.instances.addAccessConfig
          compute.instances.addMaintenancePolicies
          compute.instances.addResourcePolicies
          compute.instances.attachDisk
          compute.instances.createTagBinding
          compute.instances.delete
          compute.instances.deleteAccessConfig
          compute.instances.deleteTagBinding
          compute.instances.detachDisk
          compute.instances.get
          compute.instances.getEffectiveFirewalls
          compute.instances.getGuestAttributes
          compute.instances.getScreenshot
          compute.instances.getSerialPortOutput
          compute.instances.getShieldedInstanceIdentity
          compute.instances.getShieldedVmIdentity
          compute.instances.list
          compute.instances.listEffectiveTags
          compute.instances.listReferrers
          compute.instances.listTagBindings
          compute.instances.osLogin
          compute.instances.removeMaintenancePolicies
          compute.instances.removeResourcePolicies
          compute.instances.reset
          compute.instances.resume
          compute.instances.sendDiagnosticInterrupt
          compute.instances.setDeletionProtection
          compute.instances.setDiskAutoDelete
          compute.instances.setLabels
          compute.instances.setMachineResources
          compute.instances.setMachineType
          compute.instances.setMetadata
          compute.instances.setMinCpuPlatform
          compute.instances.setName
          compute.instances.setScheduling
          compute.instances.setServiceAccount
          compute.instances.setShieldedInstanceIntegrityPolicy
          compute.instances.setTags
          compute.instances.simulateMaintenanceEvent
          compute.instances.start
          compute.instances.startWithEncryptionKey
          compute.instances.stop
          compute.instances.suspend
          compute.instances.update
          compute.instances.updateAccessConfig
          compute.instances.updateDisplayDevice
          compute.instances.updateNetworkInterface
          compute.instances.updateSecurity
          compute.instances.updateShieldedInstanceConfig
          compute.instances.updateShieldedVmConfig
          compute.instances.use
          compute.instances.useReadOnly

Admin

Admin grants the compute.instanceAdmin predefined role for the instance or zone.

Create

Create grants the compute.instanceAdmin predefined role for both the instance / zone and the region.

SSH

SSH grants the following IAM permissions for the specified instance or zone:

          compute.disks.listEffectiveTags
          compute.disks.listTagBindings
          compute.images.listEffectiveTags
          compute.images.listTagBindings
          compute.instances.get
          compute.instances.listEffectiveTags
          compute.instances.setMetadata
          compute.instances.listTagBindings
          compute.instances.osLogin
          compute.projects.get
          compute.snapshots.listEffectiveTags
          compute.snapshots.listTagBindings

Grants iam.serviceAccountUser on the service account specified

PreviousCloud Storage NextCloud Run invocation

Last updated 1 year ago