Binary Authorization roles and permissions

This page lists the IAM roles and permissions for Binary Authorization. Tosearch through all roles and permissions, see therole andpermission index.

Binary Authorization roles

Role Permissions

Role	Permissions
Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Administrator of Binary Authorization Attestors	`binaryauthorization.attestors.*` `binaryauthorization.attestors.create` `binaryauthorization.attestors.delete` `binaryauthorization.attestors.get` `binaryauthorization.attestors.getIamPolicy` `binaryauthorization.attestors.list` `binaryauthorization.attestors.setIamPolicy` `binaryauthorization.attestors.update` `binaryauthorization.attestors.verifyImageAttested` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Editor of Binary Authorization Attestors	`binaryauthorization.attestors.create` `binaryauthorization.attestors.delete` `binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `binaryauthorization.attestors.update` `binaryauthorization.attestors.verifyImageAttested` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Caller of Binary Authorization Attestors VerifyImageAttested	`binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `binaryauthorization.attestors.verifyImageAttested` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Viewer of Binary Authorization Attestors	`binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Administrator of Binary Authorization Policy	`binaryauthorization.continuousValidationConfig.` `binaryauthorization.continuousValidationConfig.get` `binaryauthorization.continuousValidationConfig.getIamPolicy` `binaryauthorization.continuousValidationConfig.setIamPolicy` `binaryauthorization.continuousValidationConfig.update` `binaryauthorization.platformPolicies.` `binaryauthorization.platformPolicies.create` `binaryauthorization.platformPolicies.delete` `binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.platformPolicies.replace` `binaryauthorization.policy.*` `binaryauthorization.policy.evaluatePolicy` `binaryauthorization.policy.get` `binaryauthorization.policy.getIamPolicy` `binaryauthorization.policy.setIamPolicy` `binaryauthorization.policy.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Editor of Binary Authorization Policy	`binaryauthorization.continuousValidationConfig.get` `binaryauthorization.continuousValidationConfig.update` `binaryauthorization.platformPolicies.*` `binaryauthorization.platformPolicies.create` `binaryauthorization.platformPolicies.delete` `binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.platformPolicies.replace` `binaryauthorization.policy.evaluatePolicy` `binaryauthorization.policy.get` `binaryauthorization.policy.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Evaluator of Binary Authorization Policy	`binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.policy.evaluatePolicy` `binaryauthorization.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Viewer of Binary Authorization Policy	`binaryauthorization.continuousValidationConfig.get` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`) Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures. Warning: Do not grant service agent roles to any principals except service agents.	`artifactregistry.dockerimages.get` `artifactregistry.repositories.downloadArtifacts` `binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `binaryauthorization.attestors.verifyImageAttested` `binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.policy.evaluatePolicy` `cloudasset.assets.exportResource` `cloudasset.feeds.create` `cloudasset.feeds.delete` `cloudasset.feeds.get` `cloudasset.feeds.update` `containeranalysis.notes.get` `containeranalysis.notes.list` `containeranalysis.notes.listOccurrences` `containeranalysis.occurrences.get` `containeranalysis.occurrences.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.objects.list`

Binary Authorization Attestor Admin

(roles/binaryauthorization.attestorsAdmin)

Administrator of Binary Authorization Attestors

binaryauthorization.attestors.*

binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Editor

(roles/binaryauthorization.attestorsEditor)

Editor of Binary Authorization Attestors

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Image Verifier

(roles/binaryauthorization.attestorsVerifier)

Caller of Binary Authorization Attestors VerifyImageAttested

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Viewer

(roles/binaryauthorization.attestorsViewer)

Viewer of Binary Authorization Attestors

binaryauthorization.attestors.get

binaryauthorization.attestors.list

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Administrator

(roles/binaryauthorization.policyAdmin)

Administrator of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.*

binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace

binaryauthorization.policy.*

binaryauthorization.policy.evaluatePolicy
binaryauthorization.policy.get
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Editor

(roles/binaryauthorization.policyEditor)

Editor of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Evaluator

(roles/binaryauthorization.policyEvaluator)

Evaluator of Binary Authorization Policy

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Viewer

(roles/binaryauthorization.policyViewer)

Viewer of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Service Agent

(roles/binaryauthorization.serviceAgent)

Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.

Warning: Do not grant service agent roles to any principals except service agents.

artifactregistry.dockerimages.get

artifactregistry.repositories.downloadArtifacts

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.policy.evaluatePolicy

cloudasset.assets.exportResource

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.get

cloudasset.feeds.update

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.listOccurrences

containeranalysis.occurrences.get

containeranalysis.occurrences.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.list

Binary Authorization permissions

Permission	Included in roles
`binaryauthorization.attestors.create`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`binaryauthorization.attestors.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`binaryauthorization.attestors.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.attestors.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`binaryauthorization.attestors.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.attestors.setIamPolicy`	Owner (`roles/owner`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Security Admin (`roles/iam.securityAdmin`)
`binaryauthorization.attestors.update`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`binaryauthorization.attestors.verifyImageAttested`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.continuousValidationConfig.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`)
`binaryauthorization.continuousValidationConfig.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`binaryauthorization.continuousValidationConfig.setIamPolicy`	Owner (`roles/owner`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`)
`binaryauthorization.continuousValidationConfig.update`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Dev Ops (`roles/iam.devOps`)
`binaryauthorization.platformPolicies.create`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Dev Ops (`roles/iam.devOps`)
`binaryauthorization.platformPolicies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Dev Ops (`roles/iam.devOps`)
`binaryauthorization.platformPolicies.evaluatePolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.platformPolicies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`)
`binaryauthorization.platformPolicies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`)
`binaryauthorization.platformPolicies.replace`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Dev Ops (`roles/iam.devOps`)
`binaryauthorization.policy.evaluatePolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.policy.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`)
`binaryauthorization.policy.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`binaryauthorization.policy.setIamPolicy`	Owner (`roles/owner`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`)
`binaryauthorization.policy.update`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Dev Ops (`roles/iam.devOps`)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Binary Authorization roles and permissions