Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This page describes how you can find and grant the least permissiveIdentity and Access Management (IAM) predefined roles to your principals withGemini assistance.

The IAM role picker lets you ask Gemini which roles youshould grant to your principals. Typically, to find the right predefined rolesto grant, you would need to search through theIAM roles and permissions index ortheRoles page in theGoogle Cloud console. With theIAM role picker, you can describe the actions you want the principal toperform and the resources that they need to perform them on. Based on yourinput, Gemini suggests the least permissive predefined roles thatit considers appropriate.

Gemini can suggest predefined roles for individual principals. IfGemini suggests granting a role at the project level, then youcan use the IAM role picker to grant that role.

Youcan't use the IAM role picker to get suggestions for the followingthings:

• Custom roles
• Roles for multiple principals (with a single prompt)

Note: Gemini can't suggest custom roles through theIAM role picker, but you can still get custom role suggestions fromGemini by using theGemini Cloud Assist chat panel. For instructions, seeUseGemini Cloud Assist in the Google Cloud console in theGemini Cloud Assist documentation.

Learnhow and when Gemini for Google Cloud uses your data.

Required Roles

To get the permissions that you need to use the IAM role picker, ask your administrator to grant you theProject IAM Admin (roles/resourcemanager.projectIamAdmin) IAM role on project. For more information about granting roles, seeManage access to projects, folders, and organizations.

This predefined role contains the permissions required to use the IAM role picker. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to use the IAM role picker:

• resourcemanager.projects.get
• resourcemanager.projects.getIamPolicy
• resourcemanager.projects.setIamPolicy

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Get role suggestions with Gemini assistance

As an early-stage technology, Gemini for Google Cloud products can generate output that seems plausible but is factually incorrect. We recommend that you validate all output from Gemini for Google Cloud products before you use it. For more information, seeGemini for Google Cloud and responsible AI.

To get role suggestions from Gemini, you can access theIAM role picker on pages in the Google Cloud console that let you grant accessat the project level. For example, the IAM role picker isavailable on the following pages:

• TheIAM page
• TheService Accounts page
• The Google Cloud consoleDashboard page

The following procedure uses theIAM page as the primary entry point.

1. In the Google Cloud console, go to theIAM page.

   Go to IAM

2. Select a project.

3. Select a principal to get role suggestions for:

   • To get role suggestions for a principal who already has other roles on theresource, find a row containing the principal, and then clickeditEdit principal in that row.

     To grant a role to aservice agent, select theIncludeGoogle-provided role grants checkbox to see its email address.

     Note: You cannot edit inherited roles when managing access to aresource. To edit inherited roles, go to the resource where therole was granted.

   • To get role suggestions for a principal who doesn't have any existing roles on theresource, clickperson_addGrantAccess, then enter aprincipal identifier—forexample,my-user@example.com or//iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

4. To open the IAM role picker dialog, clickHelp me choose roles.

5. In your own words, describe the action you want the principal to perform andthe resource in the project that they need to perform it on.

6. ClickSuggest roles. Based on your input, Gemini suggeststhe least permissive predefined roles that it considers appropriate.

   To get more information about the roles and why Geminisuggested them, clickShow reasoning. We also recommend using therolesand permissions reference to validateGemini's suggested roles before granting them to theprincipal.

7. Optional: If Gemini doesn't suggest the right roles, you canrefine your prompt.

   1. To modify your prompt, clickEdit.
   2. Edit the description and then clickUpdate.Gemini updates its role suggestions based on the newdescription.

8. To accept the suggestions, clickAdd roles.

9. Optional: Add acondition to the role.

10. ClickSave. The principal is granted the role on the resource.

You can grantproject-level roles suggested by Gemini directlyfrom the IAM role picker. For organization-, folder-, or resource-level rolesuggestions, note the suggested roles and grant them to the principal atthe appropriate level using the typical process in the Google Cloud console.For more information about granting roles, seeManage access to projects,folders, and organizations.

If you don't have the permissions to grant the roles at the organization,folder, or resource levels, contact your administrator.

Sample use cases

The following table illustrates some example use cases whereGemini can help you identify the least permissive roles for yourprincipals.

Use case	Prompt examples
Identifying least-permissive roles necessary to perform a specific task	"What role is required to create, start, and stop VMs?" "What are the least-privileged IAM roles required to create IAM policies?" "I need to allow a user to create and manage BigQuery datasets and tables. What role should I assign?" "I need to grant a service account access to invoke Cloud Run functions. What's the minimal role required?" "Which role allows a service account to read data from Cloud Storage but not write or delete objects?"
Identifying least-permissive roles necessary to run Google Cloud CLI commands	"What IAM role is required to run the following command:gcloud compute instances create instance-1 --zone=us-central1-a" "I would like to identify the necessary roles for a service account to execute the following command:gcloud datastore instances describe"
Identifying roles for a task that includes transitive dependencies	"I need to configure a Compute Engine instance to automatically scale based on CPU utilization. Which IAM role(s) should be granted to the service account used by the instance autoscaler?"
Identifying roles for a task that might require a combination of multiple granular roles	"Provide users access only to a particular dataset. We don't want to share the access to all datasets, and we only allow users to access a particular dataset within BigQuery. They shouldn't be able to create new datasets or delete it"

Best practices

To help Gemini provide the most accurate suggestions for your usecase, we recommend that you adhere to the following best practices when draftingyour prompt.

• Clearly describe your use case. Avoid using vague language in yourprompts. Be as clear as possible about what actions you want the principal toperform on which services and resource types.

  Do	Don't	Details
  "What role is required to execute SQL queries on a BigQuery table and read the data from it?"	"What role is required to execute SQL statements?"	SQL is a generic language used across multiple Google Cloud services. Without specifying the service or actions, Gemini can't suggest a precise role.
  "I need roles to start, stop, and reboot Compute Engine virtual machine instances."	"I need to manage my virtual machines."	The termmanage is too vague. Manage could mean creating, deleting, updating, or viewing VMs. Clearly listing the specific actions to be performed (start, stop, reboot) and the exact resource type (Compute Engine virtual machine instances) yields more accurate suggestions.
  "I need to upload and download objects from a Cloud Storage bucket namedexample-bucket."	"Give me access to storage."	The termStorage alone could refer to various services like Cloud Storage, Filestore, or Persistent Disk. In addition, there are no actions specified. Without specifying the service (Cloud Storage), the resource type name (example-bucket), or the actions (upload and download objects), Gemini doesn't have enough information to suggest the right roles.

• Use official names. Use the official names of Google Cloud services,resource types, and API operations in your prompt. If you are unsure about theofficial names of services, resource types, or API operations, we recommendconsulting the official product documentation.

  Do	Don't	Details
  "What role do I need to update BigQuery datasets?"	"What role do I need to update Big query datasets?	BigQuery is the official name of the product—notBig query.
  "What role is required to create a Cloud Storage bucket in my project?"	"What role is required to create a Storage bucket in my project?"	Storage bucket could refer to different resource types from services like Cloud Storage, Filestore, or Persistent Disk. Specifying the product name and the associated resource type will yield more accurate suggestions.

Troubleshooting

This section describes resolutions for common issues with the IAM role picker.

Gemini suggests roles that you can't grant at the project level

Gemini can suggest roles at all resource levels; however, you canonly use the IAM role picker to grant theproject-level roles that aresuggested. When Gemini suggests organization, folder, orresource-level roles, the IAM role picker indicates that there aresuggested roles that can't be granted and theAdd roles button will bedisabled.

When this occurs, you can copy the suggested roles and grant them to theprincipal at the appropriate level using the typical process in theGoogle Cloud console. For more information on granting roles, seeManageaccess to projects, folders, and organizations.

If you don't have the permissions to grant the roles at the organization,folder, or resource levels, contact your administrator.

What's next

• ReadGemini for Google Cloudoverview.
• Learnhow Gemini for Google Cloud uses yourdata.
• Learn how to manuallyfind the right predefined roles.