Skip to content

Configure the Google Cloud Platform service permissions

To gather data from buckets via Storage you must have the Viewer or Admin IAM roles in the project to create, delete, or modify a bucket. The following table shows details of the IAM roles.

Input Name Role Title Logging Permissions Resource Type
Cloud Monitoring Monitoring Viewer
  • roles/monitoring.viewer
    		•  cloudnotifications.activities.list
    monitoring.alertPolicies.get
    monitoring.alertPolicies.list
    monitoring.dashboards.get
    monitoring.dashboards.list
    monitoring.groups.get
    monitoring.groups.list
    monitoring.metricDescriptors.get
    monitoring.metricDescriptors.list
    monitoring.monitoredResourceDescriptors.get
    monitoring.monitoredResourceDescriptors.list
    monitoring.notificationChannelDescriptors.get
    monitoring.notificationChannelDescriptors.list
    monitoring.notificationChannels.get
    monitoring.notificationChannels.list
    monitoring.publicWidgets.get
    monitoring.publicWidgets.list
    monitoring.services.get
    monitoring.services.list
    monitoring.slos.get
    monitoring.slos.list
    monitoring.snoozes.get
    monitoring.snoozes.list
    monitoring.timeSeries.list
    monitoring.uptimeCheckConfigs.get
    monitoring.uptimeCheckConfigs.list
    opsconfigmonitoring.resourceMetadata.list
    resourcemanager.projects.get
    resourcemanager.projects.list
    stackdriver.projects.get
    stackdriver.resourceMetadata.list    		 Read-only access to get and list information about all monitoring data and configuration.
    Storage bucket Storage Admin
  • roles/storage.admin

    		•  firebase.projects.get
    orgpolicy.policy.get
    recommender.iamPolicyInsights.get
    recommender.iamPolicyInsights.list
    recommender.iamPolicyInsights.update
    recommender.iamPolicyRecommendations.get
    recommender.iamPolicyRecommendations.list
    recommender.iamPolicyRecommendations.update
    resourcemanager.projects.get
    resourcemanager.projects.list
    storage.buckets.create
    storage.buckets.createTagBinding
    storage.buckets.delete
    storage.buckets.deleteTagBinding
    storage.buckets.enableObjectRetention
    storage.buckets.get
    storage.buckets.getIamPolicy
    storage.buckets.getObjectInsights
    storage.buckets.list
    storage.buckets.listEffectiveTags
    storage.buckets.listTagBindings
    storage.buckets.setIamPolicy
    storage.buckets.update
    storage.managedFolders.create
    storage.managedFolders.delete
    storage.managedFolders.get
    storage.managedFolders.getIamPolicy
    storage.managedFolders.list
    storage.managedFolders.setIamPolicy
    storage.multipartUploads.abort
    storage.multipartUploads.create
    storage.multipartUploads.list
    storage.multipartUploads.listParts
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.getIamPolicy
    storage.objects.list
    storage.objects.overrideUnlockedRetention
    storage.objects.setIamPolicy
    storage.objects.setRetention
    storage.objects.update    		 Grants full control of buckets and objects.
    Cloud Pub/Sub Based Bucket Pub/Sub Viewer
  • roles/pubsub.viewer
    • Pub/Sub Subscriber
  • roles/pubsub.subscribe
    • Storage Object Viewer
  • roles/storage.objectViewer
    		•  pubsub.schemas.get
    pubsub.schemas.list
    pubsub.schemas.listRevisions
    pubsub.schemas.validate
    pubsub.snapshots.get
    pubsub.snapshots.list
    pubsub.subscriptions.get
    pubsub.subscriptions.list
    pubsub.topics.get
    pubsub.topics.list
    resourcemanager.projects.get
    serviceusage.quotas.get
    serviceusage.services.get
    Serviceusage.services.list
    pubsub.snapshots.seek
    pubsub.subscriptions.consume
    pubsub.topics.attachSubscription
    storage.objects.get
    storage.objects.list    		 View topics, subscriptions, and snapshots.
    Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot.
    Cannot write or create GCS resources.
    Metadata/Compute Engine Compute Viewer
  • roles/compute.viewer
    		•  compute.acceleratorTypes.get
    compute.acceleratorTypes.list
    compute.addresses.get
    compute.addresses.list
    compute.autoscalers.get
    compute.autoscalers.list
    compute.backendBuckets.get
    compute.backendBuckets.getIamPolicy
    compute.backendBuckets.list
    compute.backendBuckets.listEffectiveTags
    compute.backendBuckets.listTagBindings
    compute.backendServices.get
    compute.backendServices.getIamPolicy
    compute.backendServices.list
    compute.backendServices.listEffectiveTags
    compute.backendServices.listTagBindings
    compute.commitments.get
    compute.commitments.list
    compute.diskTypes.get
    compute.diskTypes.list
    compute.disks.get
    compute.disks.getIamPolicy
    compute.disks.list
    compute.disks.listEffectiveTags
    compute.disks.listTagBindings
    compute.externalVpnGateways.get
    compute.externalVpnGateways.list
    compute.firewallPolicies.get
    compute.firewallPolicies.getIamPolicy
    compute.firewallPolicies.list
    compute.firewallPolicies.listEffectiveTags
    compute.firewallPolicies.listTagBindings
    compute.firewalls.get
    compute.firewalls.list
    compute.firewalls.listEffectiveTags
    compute.firewalls.listTagBindings
    compute.forwardingRules.get
    compute.forwardingRules.list
    compute.forwardingRules.listEffectiveTags
    compute.forwardingRules.listTagBindings
    compute.futureReservations.get
    compute.futureReservations.getIamPolicy
    compute.futureReservations.list
    compute.globalAddresses.get
    compute.globalAddresses.list
    compute.globalForwardingRules.get
    compute.globalForwardingRules.list
    compute.globalForwardingRules.listEffectiveTags
    compute.globalForwardingRules.listTagBindings
    compute.globalForwardingRules.pscGet
    compute.globalNetworkEndpointGroups.get
    compute.globalNetworkEndpointGroups.list
    compute.globalNetworkEndpointGroups.listEffectiveTags
    compute.globalNetworkEndpointGroups.listTagBindings
    compute.globalOperations.get
    compute.globalOperations.getIamPolicy
    compute.globalOperations.list
    compute.globalPublicDelegatedPrefixes.get
    compute.globalPublicDelegatedPrefixes.list
    compute.healthChecks.get
    compute.healthChecks.list
    compute.healthChecks.listEffectiveTags
    compute.healthChecks.listTagBindings
    compute.httpHealthChecks.get
    compute.httpHealthChecks.list
    compute.httpHealthChecks.listEffectiveTags
    compute.httpHealthChecks.listTagBindings
    compute.httpsHealthChecks.get
    compute.httpsHealthChecks.list
    compute.httpsHealthChecks.listEffectiveTags
    compute.httpsHealthChecks.listTagBindings
    compute.images.get
    compute.images.getFromFamily
    compute.images.getIamPolicy
    compute.images.list
    compute.images.listEffectiveTags
    compute.images.listTagBindings
    compute.instanceGroupManagers.get
    compute.instanceGroupManagers.list
    compute.instanceGroupManagers.listEffectiveTags
    compute.instanceGroupManagers.listTagBindings
    compute.instanceGroups.get
    compute.instanceGroups.list
    compute.instanceSettings.get
    compute.instanceTemplates.get
    compute.instanceTemplates.getIamPolicy
    compute.instanceTemplates.list
    compute.instances.get
    compute.instances.getEffectiveFirewalls
    compute.instances.getGuestAttributes
    compute.instances.getIamPolicy
    compute.instances.getScreenshot
    compute.instances.getSerialPortOutput
    compute.instances.getShieldedInstanceIdentity
    compute.instances.getShieldedVmIdentity
    compute.instances.list
    compute.instances.listEffectiveTags
    compute.instances.listReferrers
    compute.instances.listTagBindings
    compute.instantSnapshots.get
    compute.instantSnapshots.getIamPolicy
    compute.instantSnapshots.list
    compute.interconnectAttachments.get
    compute.interconnectAttachments.list
    compute.interconnectLocations.get
    compute.interconnectLocations.list
    compute.interconnectRemoteLocations.get
    compute.interconnectRemoteLocations.list
    compute.interconnects.get
    compute.interconnects.list
    compute.licenseCodes.get
    compute.licenseCodes.getIamPolicy
    compute.licenseCodes.list
    compute.licenses.get
    compute.licenses.getIamPolicy
    compute.licenses.list
    compute.machineImages.get
    compute.machineImages.getIamPolicy
    compute.machineImages.list
    compute.machineTypes.get
    compute.machineTypes.list
    compute.maintenancePolicies.get
    compute.maintenancePolicies.getIamPolicy
    compute.maintenancePolicies.list
    compute.networkAttachments.get
    compute.networkAttachments.getIamPolicy
    compute.networkAttachments.list
    compute.networkEdgeSecurityServices.get
    compute.networkEdgeSecurityServices.list
    compute.networkEndpointGroups.get
    compute.networkEndpointGroups.getIamPolicy
    compute.networkEndpointGroups.list
    compute.networkEndpointGroups.listEffectiveTags
    compute.networkEndpointGroups.listTagBindings
    compute.networks.get
    compute.networks.getEffectiveFirewalls
    compute.networks.getRegionEffectiveFirewalls
    compute.networks.list
    compute.networks.listEffectiveTags
    compute.networks.listPeeringRoutes
    compute.networks.listTagBindings
    compute.nodeGroups.get
    compute.nodeGroups.getIamPolicy
    compute.nodeGroups.list
    compute.nodeTemplates.get
    compute.nodeTemplates.getIamPolicy
    compute.nodeTemplates.list
    compute.nodeTypes.get
    compute.nodeTypes.list
    compute.organizations.listAssociations
    compute.packetMirrorings.get
    compute.packetMirrorings.list
    compute.projects.get
    compute.publicAdvertisedPrefixes.get
    compute.publicAdvertisedPrefixes.list
    compute.publicDelegatedPrefixes.get
    compute.publicDelegatedPrefixes.list
    compute.regionBackendServices.get
    compute.regionBackendServices.getIamPolicy
    compute.regionBackendServices.list
    compute.regionBackendServices.listEffectiveTags
    compute.regionBackendServices.listTagBindings
    compute.regionFirewallPolicies.get
    compute.regionFirewallPolicies.getIamPolicy
    compute.regionFirewallPolicies.list
    compute.regionFirewallPolicies.listEffectiveTags
    compute.regionFirewallPolicies.listTagBindings
    compute.regionHealthCheckServices.get
    compute.regionHealthCheckServices.list
    compute.regionHealthChecks.get
    compute.regionHealthChecks.list
    compute.regionHealthChecks.listEffectiveTags
    compute.regionHealthChecks.listTagBindings
    compute.regionNetworkEndpointGroups.get
    compute.regionNetworkEndpointGroups.list
    compute.regionNetworkEndpointGroups.listEffectiveTags
    compute.regionNetworkEndpointGroups.listTagBindings
    compute.regionNotificationEndpoints.get
    compute.regionNotificationEndpoints.list
    compute.regionOperations.get
    compute.regionOperations.getIamPolicy
    compute.regionOperations.list
    compute.regionSecurityPolicies.get
    compute.regionSecurityPolicies.list
    compute.regionSecurityPolicies.listEffectiveTags
    compute.regionSecurityPolicies.listTagBindings
    compute.regionSslCertificates.get
    compute.regionSslCertificates.list
    compute.regionSslCertificates.listEffectiveTags
    compute.regionSslCertificates.listTagBindings
    compute.regionSslPolicies.get
    compute.regionSslPolicies.list
    compute.regionSslPolicies.listAvailableFeatures
    compute.regionTargetHttpProxies.get
    compute.regionTargetHttpProxies.list
    compute.regionTargetHttpProxies.listEffectiveTags
    compute.regionTargetHttpProxies.listTagBindings
    compute.regionTargetHttpsProxies.get
    compute.regionTargetHttpsProxies.list
    compute.regionTargetHttpsProxies.listEffectiveTags
    compute.regionTargetHttpsProxies.listTagBindings
    compute.regionTargetTcpProxies.get
    compute.regionTargetTcpProxies.list
    compute.regionUrlMaps.get
    compute.regionUrlMaps.list
    compute.regionUrlMaps.listEffectiveTags
    compute.regionUrlMaps.listTagBindings
    compute.regionUrlMaps.validate
    compute.regions.get
    compute.regions.list
    compute.reservations.get
    compute.reservations.list
    compute.resourcePolicies.get
    compute.resourcePolicies.getIamPolicy
    compute.resourcePolicies.list
    compute.routers.get
    compute.routers.getRoutePolicy
    compute.routers.list
    compute.routers.listBgpRoutes
    compute.routers.listRoutePolicies
    compute.routes.get
    compute.routes.list
    compute.routes.listEffectiveTags
    compute.routes.listTagBindings
    compute.securityPolicies.get
    compute.securityPolicies.getIamPolicy
    compute.securityPolicies.list
    compute.securityPolicies.listEffectiveTags
    compute.securityPolicies.listTagBindings
    compute.serviceAttachments.get
    compute.serviceAttachments.getIamPolicy
    compute.serviceAttachments.list
    compute.snapshotSettings.get
    compute.snapshots.get
    compute.snapshots.getIamPolicy
    compute.snapshots.list
    compute.snapshots.listEffectiveTags
    compute.snapshots.listTagBindings
    compute.sslCertificates.get
    compute.sslCertificates.list
    compute.sslCertificates.listEffectiveTags
    compute.sslCertificates.listTagBindings
    compute.sslPolicies.get
    compute.sslPolicies.list
    compute.sslPolicies.listAvailableFeatures
    compute.sslPolicies.listEffectiveTags
    compute.sslPolicies.listTagBindings
    compute.storagePools.get
    compute.storagePools.getIamPolicy
    compute.storagePools.list
    compute.subnetworks.get
    compute.subnetworks.getIamPolicy
    compute.subnetworks.list
    compute.subnetworks.listEffectiveTags
    compute.subnetworks.listTagBindings
    compute.targetGrpcProxies.get
    compute.targetGrpcProxies.list
    compute.targetHttpProxies.get
    compute.targetHttpProxies.list
    compute.targetHttpProxies.listEffectiveTags
    compute.targetHttpProxies.listTagBindings
    compute.targetHttpsProxies.get
    compute.targetHttpsProxies.list
    compute.targetHttpsProxies.listEffectiveTags
    compute.targetHttpsProxies.listTagBindings
    compute.targetInstances.get
    compute.targetInstances.list
    compute.targetInstances.listEffectiveTags
    compute.targetInstances.listTagBindings
    compute.targetPools.get
    compute.targetPools.list
    compute.targetPools.listEffectiveTags
    compute.targetPools.listTagBindings
    compute.targetSslProxies.get
    compute.targetSslProxies.list
    compute.targetSslProxies.listEffectiveTags
    compute.targetSslProxies.listTagBindings
    compute.targetTcpProxies.get
    compute.targetTcpProxies.list
    compute.targetTcpProxies.listEffectiveTags
    compute.targetTcpProxies.listTagBindings
    compute.targetVpnGateways.get
    compute.targetVpnGateways.list
    compute.urlMaps.get
    compute.urlMaps.list
    compute.urlMaps.listEffectiveTags
    compute.urlMaps.listTagBindings
    compute.urlMaps.validate
    compute.vpnGateways.get
    compute.vpnGateways.list
    compute.vpnTunnels.get
    compute.vpnTunnels.list
    compute.zoneOperations.get
    compute.zoneOperations.getIamPolicy
    compute.zoneOperations.list
    compute.zones.get
    compute.zones.list
    resourcemanager.projects.get
    resourcemanager.projects.list
    serviceusage.quotas.get
    serviceusage.services.get
    serviceusage.services.list    		 Read-only access to get and list information about all Compute Engine resources, including instances, disks, and firewalls. Allows getting and listing information about disks, images, and snapshots, but does not allow reading the data stored on them.
    Metadata/Kubernetes Kubernetes Engine Viewer
  • roles/container.viewer
    • Kubernetes Engine Service Agent
  • roles/container.serviceAgent
    		•  container.apiServices.get
    container.apiServices.getStatus
    container.apiServices.list
    container.auditSinks.get
    container.auditSinks.list
    container.backendConfigs.get
    container.backendConfigs.list
    container.bindings.get
    container.bindings.list
    container.certificateSigningRequests.get
    container.certificateSigningRequests.getStatus
    container.certificateSigningRequests.list
    container.clusterRoleBindings.get
    container.clusterRoleBindings.list
    container.clusterRoles.get
    container.clusterRoles.list
    container.clusters.connect
    container.clusters.get
    container.clusters.list
    container.componentStatuses.get
    container.componentStatuses.list
    container.configMaps.get
    container.configMaps.list
    container.controllerRevisions.get
    container.controllerRevisions.list
    container.cronJobs.get
    container.cronJobs.getStatus
    container.cronJobs.list
    container.csiDrivers.get
    container.csiDrivers.list
    container.csiNodeInfos.get
    container.csiNodeInfos.list
    container.csiNodes.get
    container.csiNodes.list
    container.customResourceDefinitions.get
    container.customResourceDefinitions.getStatus
    container.customResourceDefinitions.list
    container.daemonSets.get
    container.daemonSets.getStatus
    container.daemonSets.list
    container.deployments.get
    container.deployments.getScale
    container.deployments.getStatus
    container.deployments.list
    container.endpointSlices.get
    container.endpointSlices.list
    container.endpoints.get
    container.endpoints.list
    container.events.get
    container.events.list
    container.frontendConfigs.get
    container.frontendConfigs.list
    container.horizontalPodAutoscalers.get
    container.horizontalPodAutoscalers.getStatus
    container.horizontalPodAutoscalers.list
    container.ingresses.get
    container.ingresses.getStatus
    container.ingresses.list
    container.initializerConfigurations.get
    container.initializerConfigurations.list
    container.jobs.get
    container.jobs.getStatus
    container.jobs.list
    container.leases.get
    container.leases.list
    container.limitRanges.get
    container.limitRanges.list
    container.managedCertificates.get
    container.managedCertificates.list
    container.mutatingWebhookConfigurations.get
    container.mutatingWebhookConfigurations.list
    container.namespaces.get
    container.namespaces.getStatus
    container.namespaces.list
    container.networkPolicies.get
    container.networkPolicies.list
    container.nodes.get
    container.nodes.getStatus
    container.nodes.list
    container.operations.get
    container.operations.list
    container.persistentVolumeClaims.get
    container.persistentVolumeClaims.getStatus
    container.persistentVolumeClaims.list
    container.persistentVolumes.get
    container.persistentVolumes.getStatus
    container.persistentVolumes.list
    container.petSets.get
    container.petSets.list
    container.podDisruptionBudgets.get
    container.podDisruptionBudgets.getStatus
    container.podDisruptionBudgets.list
    container.podPresets.get
    container.podPresets.list
    container.podSecurityPolicies.get
    container.podSecurityPolicies.list
    container.podTemplates.get
    container.podTemplates.list
    container.pods.get
    container.pods.getStatus
    container.pods.list
    container.priorityClasses.get
    container.priorityClasses.list
    container.replicaSets.get
    container.replicaSets.getScale
    container.replicaSets.getStatus
    container.replicaSets.list
    container.replicationControllers.get
    container.replicationControllers.getScale
    container.replicationControllers.getStatus
    container.replicationControllers.list
    container.resourceQuotas.get
    container.resourceQuotas.getStatus
    container.resourceQuotas.list
    container.roleBindings.get
    container.roleBindings.list
    container.roles.get
    container.roles.list
    container.runtimeClasses.get
    container.runtimeClasses.list
    container.scheduledJobs.get
    container.scheduledJobs.list
    container.serviceAccounts.get
    container.serviceAccounts.list
    container.services.get
    container.services.getStatus
    container.services.list
    container.statefulSets.get
    container.statefulSets.getScale
    container.statefulSets.getStatus
    container.statefulSets.list
    container.storageClasses.get
    container.storageClasses.list
    container.storageStates.get
    container.storageStates.getStatus
    container.storageStates.list
    container.storageVersionMigrations.get
    container.storageVersionMigrations.getStatus
    container.storageVersionMigrations.list
    container.thirdPartyObjects.get
    container.thirdPartyObjects.list
    container.thirdPartyResources.get
    container.thirdPartyResources.list
    container.tokenReviews.create
    container.updateInfos.get
    container.updateInfos.list
    container.validatingWebhookConfigurations.get
    container.validatingWebhookConfigurations.list
    container.volumeAttachments.get
    container.volumeAttachments.getStatus
    container.volumeAttachments.list
    container.volumeSnapshotClasses.get
    container.volumeSnapshotClasses.list
    container.volumeSnapshotContents.get
    container.volumeSnapshotContents.getStatus
    container.volumeSnapshotContents.list
    container.volumeSnapshots.get
    container.volumeSnapshots.list
    recommender.containerDiagnosisInsights.get
    recommender.containerDiagnosisInsights.list
    recommender.containerDiagnosisRecommendations.get
    recommender.containerDiagnosisRecommendations.list
    recommender.locations.get
    recommender.locations.list
    recommender.networkAnalyzerGkeConnectivityInsights.get
    recommender.networkAnalyzerGkeConnectivityInsights.list
    recommender.networkAnalyzerGkeIpAddressInsights.get
    recommender.networkAnalyzerGkeIpAddressInsights.list
    resourcemanager.projects.get
    resourcemanager.projects.list    		 Read-only access to Kubernetes Engine resources.
    Metadata/VPC Serverless VPC Access Viewer
  • roles/vpcaccess.viewer
    		•  resourcemanager.projects.get
    resourcemanager.projects.list
    vpcaccess.connectors.get
    vpcaccess.connectors.list
    vpcaccess.locations.list
    vpcaccess.operations.get
    vpcaccess.operations.list

    		 Viewer of all Serverless VPC Access resources
    Metadata/Cloud Storage Storage Admin
  • roles/storage.admin
    		•  firebase.projects.get
    orgpolicy.policy.get
    recommender.iamPolicyInsights.get
    recommender.iamPolicyInsights.list
    recommender.iamPolicyInsights.update
    recommender.iamPolicyRecommendations.get
    recommender.iamPolicyRecommendations.list
    recommender.iamPolicyRecommendations.update
    resourcemanager.projects.get
    resourcemanager.projects.list
    storage.anywhereCaches.create
    storage.anywhereCaches.disable
    storage.anywhereCaches.get
    storage.anywhereCaches.list
    storage.anywhereCaches.pause
    storage.anywhereCaches.resume
    storage.anywhereCaches.update
    storage.bucketOperations.cancel
    storage.bucketOperations.get
    storage.bucketOperations.list
    storage.buckets.create
    storage.buckets.createTagBinding
    storage.buckets.delete
    storage.buckets.deleteTagBinding
    storage.buckets.enableObjectRetention
    storage.buckets.get
    storage.buckets.getIamPolicy
    storage.buckets.getObjectInsights
    storage.buckets.list
    storage.buckets.listEffectiveTags
    storage.buckets.listTagBindings
    storage.buckets.restore
    storage.buckets.setIamPolicy
    storage.buckets.update
    storage.managedFolders.create
    storage.managedFolders.delete
    storage.managedFolders.get
    storage.managedFolders.getIamPolicy
    storage.managedFolders.list
    storage.managedFolders.setIamPolicy
    storage.multipartUploads.abort
    storage.multipartUploads.create
    storage.multipartUploads.list
    storage.multipartUploads.listParts
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.getIamPolicy
    storage.objects.list
    storage.objects.overrideUnlockedRetention
    storage.objects.restore
    storage.objects.setIamPolicy
    storage.objects.setRetention
    storage.objects.update    		 Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
    BigQuery BigQuery Data Viewer
  • roles/bigquery.dataViewer
    		•  bigquery.datasets.get
    bigquery.datasets.getIamPolicy
    bigquery.models.export
    bigquery.models.getData
    bigquery.models.getMetadata
    bigquery.models.list
    bigquery.routines.get
    bigquery.routines.list
    bigquery.tables.createSnapshot
    bigquery.tables.export
    bigquery.tables.get
    bigquery.tables.getData
    bigquery.tables.getIamPolicy
    bigquery.tables.list
    bigquery.tables.replicateData
    resourcemanager.projects.get
    resourcemanager.projects.list    		 Access to view datasets and all of their contents

    When applied to a project, access to run queries, create datasets, read dataset metadata, and list tables. When applied to a dataset, access to read dataset metadata and list tables within the dataset.
    BigQuery BigQuery User
  • roles/bigquery.user
    		•  bigquery.bireservations.get
    bigquery.capacityCommitments.get
    bigquery.capacityCommitments.list
    bigquery.config.get
    bigquery.datasets.create
    bigquery.datasets.get
    bigquery.datasets.getIamPolicy
    bigquery.jobs.create
    bigquery.jobs.list
    bigquery.models.list
    bigquery.readsessions.create
    bigquery.readsessions.getData
    bigquery.readsessions.update
    bigquery.reservationAssignments.list
    bigquery.reservationAssignments.search
    bigquery.reservations.get
    bigquery.reservations.list
    bigquery.routines.list
    bigquery.savedqueries.get
    bigquery.savedqueries.list
    bigquery.tables.list
    bigquery.transfers.get
    bigquerymigration.translation.translate
    resourcemanager.projects.get
    resourcemanager.projects.list    		 Access to view datasets and all of their contents

    When applied to a project, access to run queries, create datasets, read dataset metadata, and list tables. When applied to a dataset, access to read dataset metadata and list tables within the dataset.
    Cloud pub/sub lite Pub/Sub Lite Viewer
  • roles/pubsublite.viewer
    		•  pubsublite.operations.get
    pubsublite.operations.list
    pubsublite.reservations.get
    pubsublite.reservations.list
    pubsublite.reservations.listTopics
    pubsublite.subscriptions.get
    pubsublite.subscriptions.getCursor
    pubsublite.subscriptions.list
    pubsublite.topics.get
    pubsublite.topics.getPartitions
    pubsublite.topics.list
    pubsublite.topics.listSubscriptions    		 View topics, subscriptions and reservations
    Consume messages from a subscription, attach subscriptions to a topic, and seek a snapshot.
    Access to view all resources/projects
    Cloud pub/sub lite Pub/Sub Lite Subscriber
  • roles/pubsublite.subscriber
    		•  pubsublite.locations.openKafkaStream
    pubsublite.operations.get
    pubsublite.subscriptions.getCursor
    pubsublite.subscriptions.seek
    pubsublite.subscriptions.setCursor
    pubsublite.subscriptions.subscribe
    pubsublite.topics.computeHeadCursor
    pubsublite.topics.computeMessageStats
    pubsublite.topics.computeTimeCursor
    pubsublite.topics.getPartitions
    pubsublite.topics.subscribe    		 View topics, subscriptions and reservations
    Consume messages from a subscription, attach subscriptions to a topic, and seek a snapshot.
    Access to view all resources/projects
    Cloud pub/sub lite Serverless VPC Access Viewer
  • roles/vpcaccess.viewer
    		•  Resourcemanager.projects.get
    vpcaccess.connectors.get
    vpcaccess.connectors.list
    vpcaccess.locations.list
    vpcaccess.operations.get
    vpcaccess.operations.list    		 View topics, subscriptions and reservations
    Consume messages from a subscription, attach subscriptions to a topic, and seek a snapshot.
    Access to view all resources/projects
    Cloud pub/sub Pub/Sub Viewer
  • roles/pubsub.viewer
    		•  pubsub.schemas.get
    pubsub.schemas.list
    pubsub.schemas.listRevisions
    pubsub.schemas.validate
    pubsub.snapshots.get
    pubsub.snapshots.list
    pubsub.subscriptions.get
    pubsub.subscriptions.list
    pubsub.topics.get
    pubsub.topics.list
    resourcemanager.projects.get
    serviceusage.quotas.get
    serviceusage.services.get
    serviceusage.services.list    		 View topics, subscriptions, and snapshots.
    Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot.
    Cloud pub/sub Pub/Sub Subscriber
  • roles/pubsub.subscribe
    		•  pubsub.snapshots.seek
    pubsub.subscriptions.consume
    pubsub.topics.attachSubscription    		 View topics, subscriptions, and snapshots.
    Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot.

    Configure billing export to Google Cloud Platform

    To get your daily usage and cost estimates data in Splunk Add-on for Google Cloud Platform, you must enable billing export data in your Google Cloud Platform instance using your Google login credentials. For more details, see the Export Billing Data to a File topic in the Google Cloud documentation.

    Configure log export to Google Cloud Pub/Sub

    To gather data from activity logs via the Pub/Sub API, use your Google credentials to configure log export to Cloud Pub/Sub in your Google Developers Console. You must also have the Owner or the Logging/Logs Configuration Writer IAM roles in the project to create, delete, or modify a sink. See the following details of IAM roles:

    Role Name

    Role Title

    Logging Permissions

    Resource Type

    roles/owner

    Owner

    roles/editor logging permissions
    logging.privateLogEntries.list
    logging.sinks.{create, delete, update}

    project

    roles/logging.configWriter

    Logs Configuration Writer

    logging.exclusions.{list, create, get, update, delete}
    logging.logMetrics.{list, create, get, update, delete}
    logging.logs.list
    logging.logServiceIndexes.list
    logging.logServices.list
    logging.sinks.{list, create, get, update, delete}
    resourcemanager.projects.get

    project, organization, folder, billing account

    For more information, see the Configure and manage sinks topic in the Google Cloud documentation.