Cloud IAM Roles for Administering Access Context Manager

This page describes the Cloud Identity and Access Management (Cloud IAM) roles required to configure to Access Context Manager.

Required roles

The following curated Cloud IAM roles provide the necessary permissions to view or configure access levels using the gcloud command-line tool:

  • Access Context Manager Admin: roles/accesscontextmanager.policyAdmin
  • Access Context Manager Editor: roles/accesscontextmanager.policyEditor
  • Access Context Manager Reader: roles/accesscontextmanager.policyReader

Additionally, to let your users manage Access Context Manager using the Boogle Cloud Platform Console, the Resource Manager Organization Viewer (roles/resourcemanager.organizationViewer) role is required.

To grant one of these roles, use the GCP Console or use the gcloud command-line tool:

Admin allows read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyAdmin"

Editor allows read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyEditor"

Reader allows read-only access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyReader"

Organization Viewer allows access to VPC Service Controls using the GCP Console

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/resourcemanager.organizationViewer"
Was this page helpful? Let us know how we did:

Send feedback about...

Access Context Manager