IAM roles for Networking-related Job Functions
Note: Identity and Access Management (IAM) offers predefined roles that are tailored to specific job functions. If you want to give a user the necessary permissions to perform a specific job function in your organization, consider granting one of these predefined roles. To determine if IAM offers a predefined role for your use case, seePredefined roles for job functions.
This topic shows how to configure Identity and Access Management (IAM) permissions fornetworking scenarios. It provides guidance on what IAM roles togrant to the networking-related functional roles in your company for thescenarios. This content is mainly targeted at network administrators andemployees who manage networking tasks for an organization. The scenariosdescribed below all assume that a Google Cloud organization is configured.
This document does not explain in detail the networking roles and permissions.For a detailed description of roles and permissions associated with compute andnetworking APIs, readPredefined Compute Engine IAM roles.
Single team manages security & network for organization
In this scenario, a large organization has a central team that manages securityand networking controls for the entire organization. Developers do not havepermissions to make changes to any network or security settings defined by thesecurity and networking team but they are granted permission to create resourcessuch as virtual machines in shared subnets.
To facilitate this the organization makes use of ashared VPC (VirtualPrivate Cloud). A shared VPC allows creation of a VPC network ofRFC 1918IP spaces that associated projects (service projects) can then use. Developersusing the associated projects can create VM instances in the shared VPC networkspaces. The organization's network and security admins can create subnets, VPNs,and firewall rules usable by all the projects in the VPC network.
The tables below explain the IAM roles that need to be grantedto the security and admin team and the development team, as well as the resourcelevel at which the roles are granted.
| Resource: | Organization | |
|---|---|---|
| Roles: | Shared VPC Admin Network Admin Security Admin | |
| Principal: | Security & network admin team |
| Resource: | Host Project | This role grants permission to use subnets that the shared VPC has shared. |
|---|---|---|
| Role: | Network user | |
| Principal: | Developers |
| Resource: | Service project | Note this role allows the permission to use External IP addresses. See the note below for guidance on how to prevent this action. |
|---|---|---|
| Role: | compute.instanceAdmin | |
| Principal: | Developers |
For this scenario you need three separate allow policies: one for theorganization, one for the host project, and one for the service projects.
The first allow policy, which needs to be attached at the organization level,grants the network and security team the roles they need to administer sharedVPC host projects. This includes the ability to associate serviceprojects with the host project. It also grants the network and security team theability to manage all network and security resources in all projects in theorganization.
{"bindings":[{"role":"roles/compute.xpnAdmin","members":["group:sec-net@example.com"]},{"role":"roles/compute.networkAdmin","members":["group:sec-net@example.com"]},{"role":"roles/compute.securityAdmin","members":["group:sec-net@example.com"]}]}The second allow policy needs to be associated with the host project and enablesthe developers in the organization the ability to use the shared networks in theshared VPC host project.
{"bindings":[{"role":"roles/compute.networkUser","members":["group:developers@example.com"]}]}The third allow policy needs to be associated with each service project. Thisenables the developers using the project to manage instances in the serviceproject and the ability to use the shared subnets in the host project.
You could place all service projects in a folder and set this particular allowpolicy at that level of the hierarchy. This would allow all projects created inthat folder to inherit the permissions set at the folder within which theservice project is created.
Note: If using folders place all host and service projects for a given sharedVPC setup within the same folder. The parent folder of the hostproject should be in the parent hierarchy of the service projects, so that theparent folder of the host project contains all the projects in the sharedVPC setup.You also need to grant the developers the Network User role in the serviceproject.
{"bindings":[{"role":"roles/compute.networkUser","members":["group:developers@example.com"]},{"role":"roles/compute.instanceAdmin","members":["group:developers@example.com"]}]}The best practice is to use groups to manage principals. In the example above,you would add the user IDs of the users who manage the security & networkcontrols to thesec-net group, and developers into thedevelopers group.When you need to modify who is able to carry out the function, you simply needto adjust the group membership, negating the need to update the allow policy.
Separate network & security teams
In this scenario, a large organization has two central teams: one that managessecurity controls, and another that manages all other networking resources forthe entire organization. Developers do not have permissions to make changes toany network or security settings defined by the security and networking team,but they are granted permission to create resources such as virtual machines inshared subnets.
As with the first scenario, a shared VPC will be used and theappropriate permissions configured for the three groups network, security, anddevelopers.
The tables below explain the IAM roles that need to be granted tothe security and admin team and the development team, as well as the resourcelevel at which the roles are granted.
| Resource: | Organization | |
|---|---|---|
| Roles: | Shared VPC Admin Network Admin | |
| Principal: | Network Admin team |
| Resource: | Organization | |
|---|---|---|
| Roles: | Security Admin Organization Admin | |
| Principal: | Security team |
| Resource: | Host Project | This role grants permission to use subnets that the shared VPC has shared. |
|---|---|---|
| Role: | Network user | |
| Principal: | Developers |
| Resource: | Service project | Note this role allows the permission to use External IP addresses. See the note below for guidance on how to prevent this action. |
|---|---|---|
| Role: | compute.instanceAdmin | |
| Principal: | Developers |
For this scenario you need three separate allow policies: one for theorganization, one for the host project, and one for the service projects.
The first allow policy, which needs to be attached at the organization level,grants the network team the roles they need to administer sharedVPC host projects and to manage all network resources. Thisincludes the ability to associate service projects with the host project. Thenetwork admin role also grants the network team the ability to view but notmodify firewall rules. It also grants the security team the ability to set allowpolicies and manage firewall rules and SSL certificates in all projects in theorganization.
{"bindings":[{"role":"roles/compute.xpnAdmin","members":["group:networks@example.com"]},{"role":"roles/compute.networkAdmin","members":["group:networks@example.com"]},{"role":"roles/compute.securityAdmin","members":["group:security@example.com"]},{"role":"roles/resourcemanager.organizationAdmin","members":["group:security@example.com"]}]}The second allow policy needs to be associated with the host project. This allowpolicy enables the developers in the organization to use the shared networks inthe shared VPC host project.
{"bindings":[{"role":"roles/compute.networkUser","members":["group:developers@example.com"]}]}The third allow policy needs to be associated with each service project. Thisenables the developers using the project to manage instances in the serviceproject and the ability to use the shared subnets in the host project.
You could place all service projects in a folder and set this particular allowpolicy at that level of the hierarchy. This would allow all projects created inthat folder to inherit the permissions set at the folder within which theservice project is created.
Note: You also need to grant the developers the network user role in the serviceproject.{"bindings":[{"role":"roles/compute.networkUser","members":["group:developers@example.com"]},{"role":"roles/compute.instanceAdmin","members":["group:developers@example.com"]}]}Each team can manage its own network
A digital native wants to give their development teams the ability to work in anautonomous manner. They have no central IT admin teams and trust their teams tomanage all aspects of their projects.
Despite this, they equally want to be able to put in place some loose controlsto allow them to adopt a more formal set-up as they grow and their product goesGA.
To implement this scenario, each team of developers is assigned its own folder.This structure ensures that individual projects created under the folder inheritthe appropriate permissions, while allowing each team to work independently.Each team should still follow the principle of least privilege when it setsallow policies for its own resources.
Even though it will initially be the same team members who will be managing thenetwork resources and the actual resources in the projects, creating separategroups for the logical duties is best practice.
This approach facilitates limiting access to those resources that temporarystaff need or maybe new staff that need training up before they can modifynetwork resources. It also allows the ability to change who has access to whatresources without having to modify the allow policy every time a personnelchange occurs.
| Resource: | Folder | A service account can be used to create and own projects. |
|---|---|---|
| Roles: | Project creator Folder Admin | |
| Principal: | Dev Teamleads Service account |
| Resource: | Folder | |
|---|---|---|
| Roles: | Network Admin Security Admin | |
| Principal: | Network & security team |
| Resource: | Folder | These roles allow the developers to manage all aspects of BigQuery and Compute engine. |
|---|---|---|
| Roles: | Instance Admin BigQuery Admin | |
| Principal: | Developers |
This requires an allow policy bound at each team's allocated folder.
{"bindings":[{"role":"roles/resourcemanager.foldersAdmin","members":["group:devteamleads01@example.com","serviceAccount:dev01-project-creator@shared-resources-proj.iam.gserviceaccount.com"]},{"role":"roles/resourcemanager.projectCreator","members":["group:devteamleads01@example.com","serviceAccount:dev01-project-creator@shared-resources-proj.iam.gserviceaccount.com"]},{"role":"roles/compute.securityAdmin","members":["group:net-sec-dev01@example.com"]},{"role":"roles/compute.networkAdmin","members":["group:net-sec-dev01@example.com"]},{"role":"roles/compute.instanceAdmin","members":["group:dev01@example.com"]},{"role":"roles/bigquery.admin","members":["group:dev01@example.com"]}]}Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.