GKE Multi-Cloud roles and permissions

This page lists the IAM roles and permissions for GKE Multi-Cloud. To search through all roles and permissions, see the role and permission index.

GKE Multi-Cloud roles

Role Permissions

Anthos Multi-cloud Admin

(roles/gkemulticloud.admin)

Admin access to Anthos Multi-cloud resources.

gkemulticloud.*

  • gkemulticloud.attachedClusters.create
  • gkemulticloud.attachedClusters.createTagBinding
  • gkemulticloud.attachedClusters.delete
  • gkemulticloud.attachedClusters.deleteTagBinding
  • gkemulticloud.attachedClusters.generateInstallManifest
  • gkemulticloud.attachedClusters.get
  • gkemulticloud.attachedClusters.import
  • gkemulticloud.attachedClusters.list
  • gkemulticloud.attachedClusters.listEffectiveTags
  • gkemulticloud.attachedClusters.listTagBindings
  • gkemulticloud.attachedClusters.update
  • gkemulticloud.attachedServerConfigs.get
  • gkemulticloud.awsClusters.create
  • gkemulticloud.awsClusters.delete
  • gkemulticloud.awsClusters.generateAccessToken
  • gkemulticloud.awsClusters.get
  • gkemulticloud.awsClusters.getAdminKubeconfig
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsClusters.update
  • gkemulticloud.awsNodePools.create
  • gkemulticloud.awsNodePools.delete
  • gkemulticloud.awsNodePools.get
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.awsNodePools.update
  • gkemulticloud.awsServerConfigs.get
  • gkemulticloud.azureClients.create
  • gkemulticloud.azureClients.delete
  • gkemulticloud.azureClients.get
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.create
  • gkemulticloud.azureClusters.delete
  • gkemulticloud.azureClusters.generateAccessToken
  • gkemulticloud.azureClusters.get
  • gkemulticloud.azureClusters.getAdminKubeconfig
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureClusters.update
  • gkemulticloud.azureNodePools.create
  • gkemulticloud.azureNodePools.delete
  • gkemulticloud.azureNodePools.get
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.azureNodePools.update
  • gkemulticloud.azureServerConfigs.get
  • gkemulticloud.operations.cancel
  • gkemulticloud.operations.delete
  • gkemulticloud.operations.get
  • gkemulticloud.operations.list
  • gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Anthos Multi-Cloud Container Service Agent

(roles/gkemulticloud.containerServiceAgent)

Grants the Anthos Multi-Cloud Container Service Account access to manage resources.

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

cloudnotifications.activities.list

kubernetesmetadata.*

  • kubernetesmetadata.metadata.config
  • kubernetesmetadata.metadata.publish
  • kubernetesmetadata.metadata.snapshot

logging.logEntries.create

logging.logEntries.route

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

stackdriver.projects.get

stackdriver.resourceMetadata.list

telemetry.metrics.write

Anthos Multi-Cloud Control Plane Machine Service Agent

(roles/gkemulticloud.controlPlaneMachineServiceAgent)

Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources.

artifactregistry.dockerimages.get

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

serviceusage.services.use

Anthos Multi-Cloud Node Pool Machine Service Agent

(roles/gkemulticloud.nodePoolMachineServiceAgent)

Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources.

artifactregistry.dockerimages.get

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

serviceusage.services.use

Anthos Multi-Cloud Service Agent

(roles/gkemulticloud.serviceAgent)

Grants the Anthos Multi-Cloud Service Account access to manage resources.

gkehub.features.*

  • gkehub.features.create
  • gkehub.features.delete
  • gkehub.features.get
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.features.setIamPolicy
  • gkehub.features.update

gkehub.fleet.*

  • gkehub.fleet.create
  • gkehub.fleet.createFreeTrial
  • gkehub.fleet.delete
  • gkehub.fleet.get
  • gkehub.fleet.getFreeTrial
  • gkehub.fleet.update
  • gkehub.fleet.updateFreeTrial

gkehub.locations.*

  • gkehub.locations.get
  • gkehub.locations.list

gkehub.membershipbindings.*

  • gkehub.membershipbindings.create
  • gkehub.membershipbindings.delete
  • gkehub.membershipbindings.get
  • gkehub.membershipbindings.list
  • gkehub.membershipbindings.update

gkehub.membershipfeatures.*

  • gkehub.membershipfeatures.create
  • gkehub.membershipfeatures.delete
  • gkehub.membershipfeatures.get
  • gkehub.membershipfeatures.list
  • gkehub.membershipfeatures.update

gkehub.memberships.*

  • gkehub.memberships.create
  • gkehub.memberships.delete
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.memberships.setIamPolicy
  • gkehub.memberships.update

gkehub.namespaces.*

  • gkehub.namespaces.create
  • gkehub.namespaces.delete
  • gkehub.namespaces.get
  • gkehub.namespaces.list
  • gkehub.namespaces.update

gkehub.operations.*

  • gkehub.operations.cancel
  • gkehub.operations.delete
  • gkehub.operations.get
  • gkehub.operations.list

gkehub.rbacrolebindings.*

  • gkehub.rbacrolebindings.create
  • gkehub.rbacrolebindings.delete
  • gkehub.rbacrolebindings.get
  • gkehub.rbacrolebindings.list
  • gkehub.rbacrolebindings.update

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

gkehub.scopes.update

gkemulticloud.awsClusters.delete

gkemulticloud.awsNodePools.delete

gkemulticloud.azureClients.delete

gkemulticloud.azureClusters.delete

gkemulticloud.azureNodePools.delete

resourcemanager.projects.get

resourcemanager.projects.list

Anthos Multi-cloud Telemetry Writer

(roles/gkemulticloud.telemetryWriter)

Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.

kubernetesmetadata.*

  • kubernetesmetadata.metadata.config
  • kubernetesmetadata.metadata.publish
  • kubernetesmetadata.metadata.snapshot

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

opsconfigmonitoring.resourceMetadata.write

telemetry.metrics.write

Anthos Multi-cloud Viewer

(roles/gkemulticloud.viewer)

Viewer access to Anthos Multi-cloud resources.

gkemulticloud.attachedClusters.generateInstallManifest

gkemulticloud.attachedClusters.get

gkemulticloud.attachedClusters.list

gkemulticloud.attachedClusters.listEffectiveTags

gkemulticloud.attachedClusters.listTagBindings

gkemulticloud.attachedServerConfigs.get

gkemulticloud.awsClusters.generateAccessToken

gkemulticloud.awsClusters.get

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.get

gkemulticloud.awsNodePools.list

gkemulticloud.awsServerConfigs.get

gkemulticloud.azureClients.get

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.generateAccessToken

gkemulticloud.azureClusters.get

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.get

gkemulticloud.azureNodePools.list

gkemulticloud.azureServerConfigs.get

gkemulticloud.operations.get

gkemulticloud.operations.list

gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

GKE Multi-Cloud permissions

Permission Included in roles

gkemulticloud.attachedClusters.create

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.attachedClusters.createTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Tag User (roles/resourcemanager.tagUser)

gkemulticloud.attachedClusters.delete

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.attachedClusters.deleteTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Tag User (roles/resourcemanager.tagUser)

gkemulticloud.attachedClusters.generateInstallManifest

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.attachedClusters.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.attachedClusters.import

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.attachedClusters.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

gkemulticloud.attachedClusters.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

gkemulticloud.attachedClusters.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

gkemulticloud.attachedClusters.update

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.attachedServerConfigs.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.awsClusters.create

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.awsClusters.delete

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Service agent roles

gkemulticloud.awsClusters.generateAccessToken

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.awsClusters.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

Service agent roles

gkemulticloud.awsClusters.getAdminKubeconfig

Owner (roles/owner)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.awsClusters.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

gkemulticloud.awsClusters.update

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.awsNodePools.create

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.awsNodePools.delete

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Service agent roles

gkemulticloud.awsNodePools.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.awsNodePools.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

gkemulticloud.awsNodePools.update

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.awsServerConfigs.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.azureClients.create

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.azureClients.delete

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Service agent roles

gkemulticloud.azureClients.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.azureClients.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

gkemulticloud.azureClusters.create

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.azureClusters.delete

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Service agent roles

gkemulticloud.azureClusters.generateAccessToken

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.azureClusters.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

Service agent roles

gkemulticloud.azureClusters.getAdminKubeconfig

Owner (roles/owner)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.azureClusters.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

gkemulticloud.azureClusters.update

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.azureNodePools.create

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.azureNodePools.delete

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Service agent roles

gkemulticloud.azureNodePools.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.azureNodePools.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

gkemulticloud.azureNodePools.update

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.azureServerConfigs.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.operations.cancel

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.operations.delete

Owner (roles/owner)

Editor (roles/editor)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

gkemulticloud.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

gkemulticloud.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

gkemulticloud.operations.wait

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Anthos Multi-cloud Admin (roles/gkemulticloud.admin)

Anthos Multi-cloud Viewer (roles/gkemulticloud.viewer)

Support User (roles/iam.supportUser)

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年11月10日 UTC.