API Gateway roles and permissions

This page lists the IAM roles and permissions for API Gateway. To search through all roles and permissions, see the role and permission index.

API Gateway roles

Role Permissions

ApiGateway Admin

(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*

  • apigateway.apiconfigs.create
  • apigateway.apiconfigs.delete
  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apiconfigs.setIamPolicy
  • apigateway.apiconfigs.update
  • apigateway.apis.create
  • apigateway.apis.createTagBinding
  • apigateway.apis.delete
  • apigateway.apis.deleteTagBinding
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.apis.listEffectiveTags
  • apigateway.apis.listTagBindings
  • apigateway.apis.setIamPolicy
  • apigateway.apis.update
  • apigateway.gateways.create
  • apigateway.gateways.createTagBinding
  • apigateway.gateways.delete
  • apigateway.gateways.deleteTagBinding
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.gateways.listEffectiveTags
  • apigateway.gateways.listTagBindings
  • apigateway.gateways.setIamPolicy
  • apigateway.gateways.update
  • apigateway.locations.get
  • apigateway.locations.list
  • apigateway.operations.cancel
  • apigateway.operations.delete
  • apigateway.operations.get
  • apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Cloud API Gateway Service Agent

(roles/apigateway.serviceAgent)

Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

servicemanagement.services.check

servicemanagement.services.quota

servicemanagement.services.report

ApiGateway Viewer

(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apis.get

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.apis.listEffectiveTags

apigateway.apis.listTagBindings

apigateway.gateways.get

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.gateways.listEffectiveTags

apigateway.gateways.listTagBindings

apigateway.locations.*

  • apigateway.locations.get
  • apigateway.locations.list

apigateway.operations.get

apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Cloud API Gateway Management Service Agent

(roles/apigateway_management.serviceAgent)

Gives Cloud API Gateway service account access to retrieve a Service configuration.

iam.serviceAccounts.get

servicemanagement.services.create

servicemanagement.services.delete

servicemanagement.services.get

servicemanagement.services.list

servicemanagement.services.update

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.values.test

API Gateway permissions

Permission Included in roles

apigateway.apiconfigs.create

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.apiconfigs.delete

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.apiconfigs.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

apigateway.apiconfigs.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

apigateway.apiconfigs.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

apigateway.apiconfigs.setIamPolicy

Owner (roles/owner)

ApiGateway Admin (roles/apigateway.admin)

Security Admin (roles/iam.securityAdmin)

apigateway.apiconfigs.update

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.apis.create

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.apis.createTagBinding

Owner (roles/owner)

ApiGateway Admin (roles/apigateway.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

apigateway.apis.delete

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.apis.deleteTagBinding

Owner (roles/owner)

ApiGateway Admin (roles/apigateway.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

apigateway.apis.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

apigateway.apis.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

apigateway.apis.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

apigateway.apis.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

apigateway.apis.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

apigateway.apis.setIamPolicy

Owner (roles/owner)

ApiGateway Admin (roles/apigateway.admin)

Security Admin (roles/iam.securityAdmin)

apigateway.apis.update

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.gateways.create

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.gateways.createTagBinding

Owner (roles/owner)

ApiGateway Admin (roles/apigateway.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

apigateway.gateways.delete

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.gateways.deleteTagBinding

Owner (roles/owner)

ApiGateway Admin (roles/apigateway.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

apigateway.gateways.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

apigateway.gateways.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

apigateway.gateways.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

apigateway.gateways.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

apigateway.gateways.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

apigateway.gateways.setIamPolicy

Owner (roles/owner)

ApiGateway Admin (roles/apigateway.admin)

Security Admin (roles/iam.securityAdmin)

apigateway.gateways.update

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

apigateway.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

apigateway.operations.cancel

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.operations.delete

Owner (roles/owner)

Editor (roles/editor)

ApiGateway Admin (roles/apigateway.admin)

apigateway.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

apigateway.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

ApiGateway Admin (roles/apigateway.admin)

ApiGateway Viewer (roles/apigateway.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年11月10日 UTC.