Cloud Key Management Service roles and permissions

This page lists the IAM roles and permissions for Cloud Key Management Service. Tosearch through all roles and permissions, see therole andpermission index.

Cloud Key Management Service roles

Role Permissions

Role	Permissions
Cloud KMS Admin (`roles/cloudkms.admin`) Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.autokeyConfigs.` `cloudkms.autokeyConfigs.get` `cloudkms.autokeyConfigs.update` `cloudkms.cryptoKeyVersions.create` `cloudkms.cryptoKeyVersions.destroy` `cloudkms.cryptoKeyVersions.get` `cloudkms.cryptoKeyVersions.list` `cloudkms.cryptoKeyVersions.restore` `cloudkms.cryptoKeyVersions.update` `cloudkms.cryptoKeyVersions.useToDecryptViaDelegation` `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation` `cloudkms.cryptoKeys.` `cloudkms.cryptoKeys.create` `cloudkms.cryptoKeys.get` `cloudkms.cryptoKeys.getIamPolicy` `cloudkms.cryptoKeys.list` `cloudkms.cryptoKeys.setIamPolicy` `cloudkms.cryptoKeys.update` `cloudkms.ekmConfigs.` `cloudkms.ekmConfigs.get` `cloudkms.ekmConfigs.getIamPolicy` `cloudkms.ekmConfigs.setIamPolicy` `cloudkms.ekmConfigs.update` `cloudkms.ekmConnections.` `cloudkms.ekmConnections.create` `cloudkms.ekmConnections.get` `cloudkms.ekmConnections.getIamPolicy` `cloudkms.ekmConnections.list` `cloudkms.ekmConnections.setIamPolicy` `cloudkms.ekmConnections.update` `cloudkms.ekmConnections.use` `cloudkms.ekmConnections.verifyConnectivity` `cloudkms.importJobs.` `cloudkms.importJobs.create` `cloudkms.importJobs.get` `cloudkms.importJobs.getIamPolicy` `cloudkms.importJobs.list` `cloudkms.importJobs.setIamPolicy` `cloudkms.importJobs.useToImport` `cloudkms.kajPolicyConfigs.` `cloudkms.kajPolicyConfigs.get` `cloudkms.kajPolicyConfigs.update` `cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.keyRings.` `cloudkms.keyRings.create` `cloudkms.keyRings.createTagBinding` `cloudkms.keyRings.deleteTagBinding` `cloudkms.keyRings.get` `cloudkms.keyRings.getIamPolicy` `cloudkms.keyRings.list` `cloudkms.keyRings.listEffectiveTags` `cloudkms.keyRings.listTagBindings` `cloudkms.keyRings.setIamPolicy` `cloudkms.locations.get` `cloudkms.locations.list` `cloudkms.locations.optOutKeyDeletionMsa` `cloudkms.operations.get` `cloudkms.projects.` `cloudkms.projects.showEffectiveAutokeyConfig` `cloudkms.projects.showEffectiveKajEnrollmentConfig` `cloudkms.projects.showEffectiveKajPolicyConfig` `cloudkms.singleTenantHsmInstanceProposals.delete` `cloudkms.singleTenantHsmInstanceProposals.get` `cloudkms.singleTenantHsmInstanceProposals.list` `cloudkms.singleTenantHsmInstances.` `cloudkms.singleTenantHsmInstances.create` `cloudkms.singleTenantHsmInstances.get` `cloudkms.singleTenantHsmInstances.list` `cloudkms.singleTenantHsmInstances.use` `resourcemanager.projects.get`
Cloud KMS Autokey Admin (`roles/cloudkms.autokeyAdmin`) Enables management of AutokeyConfig.	`cloudkms.autokeyConfigs.*` `cloudkms.autokeyConfigs.get` `cloudkms.autokeyConfigs.update` `cloudkms.projects.showEffectiveAutokeyConfig`
Cloud KMS Autokey User (`roles/cloudkms.autokeyUser`) Grants ability to use KeyHandle resources.	`cloudkms.keyHandles.*` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig`
Cloud KMS CryptoKey Decrypter (`roles/cloudkms.cryptoKeyDecrypter`) Provides ability to use Cloud KMS resources for decrypt operationsonly. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Decrypter Via Delegation (`roles/cloudkms.cryptoKeyDecrypterViaDelegation`) Enables Decrypt operations via other Google Cloud services Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS CryptoKey Encrypter (`roles/cloudkms.cryptoKeyEncrypter`) Provides ability to use Cloud KMS resources for encrypt operationsonly. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Encrypter/Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) Provides ability to use Cloud KMS resources for encrypt and decryptoperations only. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation`) Enables Encrypt and Decrypt operations via other Google Cloud services Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation` `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS CryptoKey Encrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterViaDelegation`) Enables Encrypt operations via other Google Cloud services Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToEncryptViaDelegation` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Enables all Crypto Operations. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecapsulate` `cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.cryptoKeyVersions.useToSign` `cloudkms.cryptoKeyVersions.useToVerify` `cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.generateRandomBytes` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Decapsulator^Beta (`roles/cloudkms.decapsulator`) Enables Decapsulate and GetPublicKey operations	`cloudkms.cryptoKeyVersions.useToDecapsulate` `cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`) Enables management of EkmConnections.	`cloudkms.ekmConfigs.get` `cloudkms.ekmConfigs.update` `cloudkms.ekmConnections.create` `cloudkms.ekmConnections.get` `cloudkms.ekmConnections.list` `cloudkms.ekmConnections.update` `cloudkms.ekmConnections.verifyConnectivity` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Expert Raw AES-CBC Key Manager (`roles/cloudkms.expertRawAesCbc`) Enables raw AES-CBC keys management. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.manageRawAesCbcKeys` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Expert Raw AES-CTR Key Manager (`roles/cloudkms.expertRawAesCtr`) Enables raw AES-CTR keys management. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.manageRawAesCtrKeys` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Expert Raw PKCS#1 Key Manager (`roles/cloudkms.expertRawPKCS1`) Enables raw PKCS#1 keys management. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.manageRawPKCS1Keys` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS single-tenant HSM Executor (`roles/cloudkms.hsmSingleTenantExecutor`) Grants ability to execute SingleTenantHsmInstanceProposal resources.	`cloudkms.operations.get` `cloudkms.singleTenantHsmInstanceProposals.execute` `cloudkms.singleTenantHsmInstanceProposals.get` `cloudkms.singleTenantHsmInstanceProposals.list` `cloudkms.singleTenantHsmInstances.get` `cloudkms.singleTenantHsmInstances.list`
Cloud KMS single-tenant HSM Key Creator (`roles/cloudkms.hsmSingleTenantKeyCreator`) Grants ability to use single-tenant HSM instances to create keys. This role must be combined with another role that grants the ability to create cryptoKeys.	`cloudkms.singleTenantHsmInstances.get` `cloudkms.singleTenantHsmInstances.list` `cloudkms.singleTenantHsmInstances.use`
Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`) Grants ability to create SingleTenantHsmInstances and SingleTenantHsmInstanceProposals.	`cloudkms.operations.get` `cloudkms.singleTenantHsmInstanceProposals.create` `cloudkms.singleTenantHsmInstanceProposals.delete` `cloudkms.singleTenantHsmInstanceProposals.get` `cloudkms.singleTenantHsmInstanceProposals.list` `cloudkms.singleTenantHsmInstances.create` `cloudkms.singleTenantHsmInstances.get` `cloudkms.singleTenantHsmInstances.list`
Cloud KMS single-tenant HSM Quorum Member (`roles/cloudkms.hsmSingleTenantQuorumMember`) Grants ability to approve SingleTenantHsmInstanceProposal resources.	`cloudkms.operations.get` `cloudkms.singleTenantHsmInstanceProposals.approve` `cloudkms.singleTenantHsmInstanceProposals.get` `cloudkms.singleTenantHsmInstanceProposals.list` `cloudkms.singleTenantHsmInstances.get` `cloudkms.singleTenantHsmInstances.list`
Cloud KMS Importer (`roles/cloudkms.importer`) Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations	`cloudkms.importJobs.create` `cloudkms.importJobs.get` `cloudkms.importJobs.list` `cloudkms.importJobs.useToImport` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Key Access Justifications Enrollment Viewer^Beta (`roles/cloudkms.keyAccessJustificationsEnrollmentConfigViewer`) Grant ability to view Key Access Justification enrollment configs of a project.	`cloudkms.projects.showEffectiveKajEnrollmentConfig`
Key Access Justifications Policy Config Admin^Beta (`roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin`) Grant ability to manage Key Access Justifications Policy at parent resource level.	`cloudkms.kajPolicyConfigs.*` `cloudkms.kajPolicyConfigs.get` `cloudkms.kajPolicyConfigs.update` `cloudkms.projects.showEffectiveKajPolicyConfig`
Cloud KMS Organization Service Agent (`roles/cloudkms.orgServiceAgent`) Gives Cloud KMS organization-level service account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudasset.assets.listResource` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources`
Cloud KMS Protected Resources Viewer (`roles/cloudkms.protectedResourcesViewer`) Enables viewing protected resources.	`cloudkms.protectedResources.search`
Cloud KMS CryptoKey Public Key Viewer (`roles/cloudkms.publicKeyViewer`) Enables GetPublicKey operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`) Gives Cloud KMS service account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudasset.assets.listCloudkmsCryptoKeys` `cloudasset.assets.listResource` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources` `cloudkms.cryptoKeys.create` `cloudkms.cryptoKeys.getIamPolicy` `cloudkms.cryptoKeys.setIamPolicy` `cloudkms.keyRings.create` `cloudkms.keyRings.get`
Cloud KMS CryptoKey Signer (`roles/cloudkms.signer`) Enables Sign operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToSign` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Enables Sign, Verify, and GetPublicKey operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToSign` `cloudkms.cryptoKeyVersions.useToVerify` `cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Verifier (`roles/cloudkms.verifier`) Enables Verify and GetPublicKey operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToVerify` `cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS Viewer (`roles/cloudkms.viewer`) Enables Get and List operations. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.autokeyConfigs.get` `cloudkms.cryptoKeyVersions.get` `cloudkms.cryptoKeyVersions.list` `cloudkms.cryptoKeys.get` `cloudkms.cryptoKeys.list` `cloudkms.ekmConfigs.get` `cloudkms.ekmConnections.get` `cloudkms.ekmConnections.list` `cloudkms.importJobs.get` `cloudkms.importJobs.list` `cloudkms.kajPolicyConfigs.get` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.keyRings.get` `cloudkms.keyRings.list` `cloudkms.locations.get` `cloudkms.locations.list` `cloudkms.operations.get` `cloudkms.singleTenantHsmInstanceProposals.get` `cloudkms.singleTenantHsmInstanceProposals.list` `cloudkms.singleTenantHsmInstances.get` `cloudkms.singleTenantHsmInstances.list` `resourcemanager.projects.get`
Cloud KMS KACLS Service Agent (`roles/cloudkmskacls.serviceAgent`) Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption. Warning: Do not grant service agent roles to any principals except service agents.	`cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.cryptoKeys.get`

Cloud KMS Admin

(roles/cloudkms.admin)

Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.autokeyConfigs.*

cloudkms.autokeyConfigs.get
cloudkms.autokeyConfigs.update

cloudkms.cryptoKeyVersions.create

cloudkms.cryptoKeyVersions.destroy

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeyVersions.restore

cloudkms.cryptoKeyVersions.update

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.cryptoKeys.*

cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.cryptoKeys.update

cloudkms.ekmConfigs.*

cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConfigs.setIamPolicy
cloudkms.ekmConfigs.update

cloudkms.ekmConnections.*

cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
cloudkms.ekmConnections.verifyConnectivity

cloudkms.importJobs.*

cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
cloudkms.importJobs.useToImport

cloudkms.kajPolicyConfigs.*

cloudkms.kajPolicyConfigs.get
cloudkms.kajPolicyConfigs.update

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.keyRings.*

cloudkms.keyRings.create
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.get
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.listEffectiveTags
cloudkms.keyRings.listTagBindings
cloudkms.keyRings.setIamPolicy

cloudkms.locations.get

cloudkms.locations.list

cloudkms.locations.optOutKeyDeletionMsa

cloudkms.operations.get

cloudkms.projects.*

cloudkms.projects.showEffectiveAutokeyConfig
cloudkms.projects.showEffectiveKajEnrollmentConfig
cloudkms.projects.showEffectiveKajPolicyConfig

cloudkms.singleTenantHsmInstanceProposals.delete

cloudkms.singleTenantHsmInstanceProposals.get

cloudkms.singleTenantHsmInstanceProposals.list

cloudkms.singleTenantHsmInstances.*

cloudkms.singleTenantHsmInstances.create
cloudkms.singleTenantHsmInstances.get
cloudkms.singleTenantHsmInstances.list
cloudkms.singleTenantHsmInstances.use

resourcemanager.projects.get

Cloud KMS Autokey Admin

(roles/cloudkms.autokeyAdmin)

Enables management of AutokeyConfig.

cloudkms.autokeyConfigs.*

cloudkms.autokeyConfigs.get
cloudkms.autokeyConfigs.update

cloudkms.projects.showEffectiveAutokeyConfig

Cloud KMS Autokey User

(roles/cloudkms.autokeyUser)

Grants ability to use KeyHandle resources.

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

Cloud KMS CryptoKey Decrypter

(roles/cloudkms.cryptoKeyDecrypter)

Provides ability to use Cloud KMS resources for decrypt operationsonly.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter Via Delegation

(roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Enables Decrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter

(roles/cloudkms.cryptoKeyEncrypter)

Provides ability to use Cloud KMS resources for encrypt operationsonly.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter

(roles/cloudkms.cryptoKeyEncrypterDecrypter)

Provides ability to use Cloud KMS resources for encrypt and decryptoperations only.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation

(roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Enables Encrypt and Decrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter Via Delegation

(roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Enables Encrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Crypto Operator

(roles/cloudkms.cryptoOperator)

Enables all Crypto Operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecapsulate

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.generateRandomBytes

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Decapsulator^Beta

(roles/cloudkms.decapsulator)

Enables Decapsulate and GetPublicKey operations

cloudkms.cryptoKeyVersions.useToDecapsulate

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS EkmConnections Admin

(roles/cloudkms.ekmConnectionsAdmin)

Enables management of EkmConnections.

cloudkms.ekmConfigs.get

cloudkms.ekmConfigs.update

cloudkms.ekmConnections.create

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.ekmConnections.update

cloudkms.ekmConnections.verifyConnectivity

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw AES-CBC Key Manager

(roles/cloudkms.expertRawAesCbc)

Enables raw AES-CBC keys management.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw AES-CTR Key Manager

(roles/cloudkms.expertRawAesCtr)

Enables raw AES-CTR keys management.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.manageRawAesCtrKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw PKCS#1 Key Manager

(roles/cloudkms.expertRawPKCS1)

Enables raw PKCS#1 keys management.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.manageRawPKCS1Keys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS single-tenant HSM Executor

(roles/cloudkms.hsmSingleTenantExecutor)

Grants ability to execute SingleTenantHsmInstanceProposal resources.

cloudkms.operations.get

cloudkms.singleTenantHsmInstanceProposals.execute

cloudkms.singleTenantHsmInstanceProposals.get

cloudkms.singleTenantHsmInstanceProposals.list

cloudkms.singleTenantHsmInstances.get

cloudkms.singleTenantHsmInstances.list

Cloud KMS single-tenant HSM Key Creator

(roles/cloudkms.hsmSingleTenantKeyCreator)

Grants ability to use single-tenant HSM instances to create keys. This role must be combined with another role that grants the ability to create cryptoKeys.

cloudkms.singleTenantHsmInstances.get

cloudkms.singleTenantHsmInstances.list

cloudkms.singleTenantHsmInstances.use

Cloud KMS single-tenant HSM Proposer

(roles/cloudkms.hsmSingleTenantProposer)

Grants ability to create SingleTenantHsmInstances and SingleTenantHsmInstanceProposals.

cloudkms.operations.get

cloudkms.singleTenantHsmInstanceProposals.create

cloudkms.singleTenantHsmInstanceProposals.delete

cloudkms.singleTenantHsmInstanceProposals.get

cloudkms.singleTenantHsmInstanceProposals.list

cloudkms.singleTenantHsmInstances.create

cloudkms.singleTenantHsmInstances.get

cloudkms.singleTenantHsmInstances.list

Cloud KMS single-tenant HSM Quorum Member

(roles/cloudkms.hsmSingleTenantQuorumMember)

Grants ability to approve SingleTenantHsmInstanceProposal resources.

cloudkms.operations.get

cloudkms.singleTenantHsmInstanceProposals.approve

cloudkms.singleTenantHsmInstanceProposals.get

cloudkms.singleTenantHsmInstanceProposals.list

cloudkms.singleTenantHsmInstances.get

cloudkms.singleTenantHsmInstances.list

Cloud KMS Importer

(roles/cloudkms.importer)

Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations

cloudkms.importJobs.create

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.importJobs.useToImport

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Key Access Justifications Enrollment Viewer^Beta

(roles/cloudkms.keyAccessJustificationsEnrollmentConfigViewer)

Grant ability to view Key Access Justification enrollment configs of a project.

cloudkms.projects.showEffectiveKajEnrollmentConfig

Key Access Justifications Policy Config Admin^Beta

(roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin)

Grant ability to manage Key Access Justifications Policy at parent resource level.

cloudkms.kajPolicyConfigs.*

cloudkms.kajPolicyConfigs.get
cloudkms.kajPolicyConfigs.update

cloudkms.projects.showEffectiveKajPolicyConfig

Cloud KMS Organization Service Agent

(roles/cloudkms.orgServiceAgent)

Gives Cloud KMS organization-level service account access to managed resources.

Warning: Do not grant service agent roles to any principals except service agents.

cloudasset.assets.listResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

Cloud KMS Protected Resources Viewer

(roles/cloudkms.protectedResourcesViewer)

Enables viewing protected resources.

cloudkms.protectedResources.search

Cloud KMS CryptoKey Public Key Viewer

(roles/cloudkms.publicKeyViewer)

Enables GetPublicKey operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS Service Agent

(roles/cloudkms.serviceAgent)

Gives Cloud KMS service account access to managed resources.

Warning: Do not grant service agent roles to any principals except service agents.

cloudasset.assets.listCloudkmsCryptoKeys

cloudasset.assets.listResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudkms.cryptoKeys.create

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.setIamPolicy

cloudkms.keyRings.create

cloudkms.keyRings.get

Cloud KMS CryptoKey Signer

(roles/cloudkms.signer)

Enables Sign operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToSign

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Signer/Verifier

(roles/cloudkms.signerVerifier)

Enables Sign, Verify, and GetPublicKey operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Verifier

(roles/cloudkms.verifier)

Enables Verify and GetPublicKey operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS Viewer

(roles/cloudkms.viewer)

Enables Get and List operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.autokeyConfigs.get

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.list

cloudkms.ekmConfigs.get

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.kajPolicyConfigs.get

cloudkms.keyHandles.get

cloudkms.keyHandles.list

cloudkms.keyRings.get

cloudkms.keyRings.list

cloudkms.locations.get

cloudkms.locations.list

cloudkms.operations.get

cloudkms.singleTenantHsmInstanceProposals.get

cloudkms.singleTenantHsmInstanceProposals.list

cloudkms.singleTenantHsmInstances.get

cloudkms.singleTenantHsmInstances.list

resourcemanager.projects.get

Cloud KMS KACLS Service Agent

(roles/cloudkmskacls.serviceAgent)

Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.

Warning: Do not grant service agent roles to any principals except service agents.

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeys.get

Cloud Key Management Service permissions

Permission	Included in roles
`cloudkms.autokeyConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Autokey Admin (`roles/cloudkms.autokeyAdmin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.autokeyConfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Autokey Admin (`roles/cloudkms.autokeyAdmin`)
`cloudkms.cryptoKeyVersions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`)
`cloudkms.cryptoKeyVersions.destroy`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`)
`cloudkms.cryptoKeyVersions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Kubernetes Engine KMS Crypto Key User (`roles/container.cloudKmsKeyUser`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.cryptoKeyVersions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.cryptoKeyVersions.manageRawAesCbcKeys`	Owner (`roles/owner`) Cloud KMS Expert Raw AES-CBC Key Manager (`roles/cloudkms.expertRawAesCbc`)
`cloudkms.cryptoKeyVersions.manageRawAesCtrKeys`	Owner (`roles/owner`) Cloud KMS Expert Raw AES-CTR Key Manager (`roles/cloudkms.expertRawAesCtr`)
`cloudkms.cryptoKeyVersions.manageRawPKCS1Keys`	Owner (`roles/owner`) Cloud KMS Expert Raw PKCS#1 Key Manager (`roles/cloudkms.expertRawPKCS1`)
`cloudkms.cryptoKeyVersions.restore`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`)
`cloudkms.cryptoKeyVersions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`)
`cloudkms.cryptoKeyVersions.useToDecapsulate`	Owner (`roles/owner`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Cloud KMS CryptoKey Decapsulator (`roles/cloudkms.decapsulator`)
`cloudkms.cryptoKeyVersions.useToDecrypt`	Owner (`roles/owner`) Cloud KMS CryptoKey Decrypter (`roles/cloudkms.cryptoKeyDecrypter`) Cloud KMS CryptoKey Encrypter/Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud KMS KACLS Service Agent (`roles/cloudkmskacls.serviceAgent`)
`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS CryptoKey Decrypter Via Delegation (`roles/cloudkms.cryptoKeyDecrypterViaDelegation`) Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation`)
`cloudkms.cryptoKeyVersions.useToEncrypt`	Owner (`roles/owner`) Cloud KMS CryptoKey Encrypter (`roles/cloudkms.cryptoKeyEncrypter`) Cloud KMS CryptoKey Encrypter/Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud KMS KACLS Service Agent (`roles/cloudkmskacls.serviceAgent`)
`cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation`) Cloud KMS CryptoKey Encrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterViaDelegation`)
`cloudkms.cryptoKeyVersions.useToSign`	Owner (`roles/owner`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Cloud KMS CryptoKey Signer (`roles/cloudkms.signer`) Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Kubernetes Engine KMS Crypto Key User (`roles/container.cloudKmsKeyUser`)
`cloudkms.cryptoKeyVersions.useToVerify`	Owner (`roles/owner`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Cloud KMS CryptoKey Verifier (`roles/cloudkms.verifier`) Kubernetes Engine KMS Crypto Key User (`roles/container.cloudKmsKeyUser`)
`cloudkms.cryptoKeyVersions.viewPublicKey`	Owner (`roles/owner`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Cloud KMS CryptoKey Decapsulator (`roles/cloudkms.decapsulator`) Cloud KMS CryptoKey Public Key Viewer (`roles/cloudkms.publicKeyViewer`) Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Cloud KMS CryptoKey Verifier (`roles/cloudkms.verifier`) Kubernetes Engine KMS Crypto Key User (`roles/container.cloudKmsKeyUser`)
`cloudkms.cryptoKeys.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`) Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`)
`cloudkms.cryptoKeys.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Kubernetes Engine KMS Crypto Key User (`roles/container.cloudKmsKeyUser`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud KMS KACLS Service Agent (`roles/cloudkmskacls.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`cloudkms.cryptoKeys.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`)
`cloudkms.cryptoKeys.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`cloudkms.cryptoKeys.setIamPolicy`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`)
`cloudkms.cryptoKeys.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`)
`cloudkms.ekmConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.ekmConfigs.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`cloudkms.ekmConfigs.setIamPolicy`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`)
`cloudkms.ekmConfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`)
`cloudkms.ekmConnections.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`)
`cloudkms.ekmConnections.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner EKM Service Agent (`roles/cloudcontrolspartner.ekmServiceAgent`)
`cloudkms.ekmConnections.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner EKM Service Agent (`roles/cloudcontrolspartner.ekmServiceAgent`)
`cloudkms.ekmConnections.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner EKM Service Agent (`roles/cloudcontrolspartner.ekmServiceAgent`)
`cloudkms.ekmConnections.setIamPolicy`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`)
`cloudkms.ekmConnections.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`)
`cloudkms.ekmConnections.use`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`)
`cloudkms.ekmConnections.verifyConnectivity`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Controls Partner EKM Service Agent (`roles/cloudcontrolspartner.ekmServiceAgent`)
`cloudkms.importJobs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Importer (`roles/cloudkms.importer`)
`cloudkms.importJobs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Importer (`roles/cloudkms.importer`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.importJobs.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`cloudkms.importJobs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Importer (`roles/cloudkms.importer`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.importJobs.setIamPolicy`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`)
`cloudkms.importJobs.useToImport`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Importer (`roles/cloudkms.importer`)
`cloudkms.kajPolicyConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Key Access Justifications Policy Config Admin (`roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.kajPolicyConfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Key Access Justifications Policy Config Admin (`roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin`)
`cloudkms.keyHandles.create`	Owner (`roles/owner`) Editor (`roles/editor`) AlloyDB Admin (`roles/alloydb.admin`) Artifact Registry Administrator (`roles/artifactregistry.admin`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) Bigtable Administrator (`roles/bigtable.admin`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Autokey User (`roles/cloudkms.autokeyUser`) Cloud SQL Admin (`roles/cloudsql.admin`) Composer Administrator (`roles/composer.admin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Compute Admin (`roles/compute.admin`) Compute Instance Admin (beta) (`roles/compute.instanceAdmin`) Compute Instance Admin (v1) (`roles/compute.instanceAdmin.v1`) Compute Storage Admin (`roles/compute.storageAdmin`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Dataproc Administrator (`roles/dataproc.admin`) Dataproc Editor (`roles/dataproc.editor`) Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Memorystore Redis Admin (`roles/redis.admin`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Secret Manager Admin (`roles/secretmanager.admin`) Secure Source Manager Admin (`roles/securesourcemanager.admin`) Secure Source Manager Instance Owner (`roles/securesourcemanager.instanceOwner`) Cloud Spanner Admin (`roles/spanner.admin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Storage Admin (`roles/storage.admin`)
`cloudkms.keyHandles.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) AlloyDB Admin (`roles/alloydb.admin`) Artifact Registry Administrator (`roles/artifactregistry.admin`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) Bigtable Administrator (`roles/bigtable.admin`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Autokey User (`roles/cloudkms.autokeyUser`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Composer Administrator (`roles/composer.admin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Compute Admin (`roles/compute.admin`) Compute Instance Admin (beta) (`roles/compute.instanceAdmin`) Compute Instance Admin (v1) (`roles/compute.instanceAdmin.v1`) Compute Storage Admin (`roles/compute.storageAdmin`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Dataproc Administrator (`roles/dataproc.admin`) Dataproc Editor (`roles/dataproc.editor`) Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Memorystore Redis Admin (`roles/redis.admin`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Secret Manager Admin (`roles/secretmanager.admin`) Secure Source Manager Admin (`roles/securesourcemanager.admin`) Secure Source Manager Instance Owner (`roles/securesourcemanager.instanceOwner`) Cloud Spanner Admin (`roles/spanner.admin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Storage Admin (`roles/storage.admin`)
`cloudkms.keyHandles.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) AlloyDB Admin (`roles/alloydb.admin`) Artifact Registry Administrator (`roles/artifactregistry.admin`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) Bigtable Administrator (`roles/bigtable.admin`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Autokey User (`roles/cloudkms.autokeyUser`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Composer Administrator (`roles/composer.admin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Compute Admin (`roles/compute.admin`) Compute Instance Admin (beta) (`roles/compute.instanceAdmin`) Compute Instance Admin (v1) (`roles/compute.instanceAdmin.v1`) Compute Storage Admin (`roles/compute.storageAdmin`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Dataproc Administrator (`roles/dataproc.admin`) Dataproc Editor (`roles/dataproc.editor`) Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Memorystore Redis Admin (`roles/redis.admin`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Secret Manager Admin (`roles/secretmanager.admin`) Secure Source Manager Admin (`roles/securesourcemanager.admin`) Secure Source Manager Instance Owner (`roles/securesourcemanager.instanceOwner`) Cloud Spanner Admin (`roles/spanner.admin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Storage Admin (`roles/storage.admin`)
`cloudkms.keyRings.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`) Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`)
`cloudkms.keyRings.createTagBinding`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`)
`cloudkms.keyRings.deleteTagBinding`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`)
`cloudkms.keyRings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`)
`cloudkms.keyRings.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`)
`cloudkms.keyRings.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`cloudkms.keyRings.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`cloudkms.keyRings.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`cloudkms.keyRings.setIamPolicy`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`) Security Admin (`roles/iam.securityAdmin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`)
`cloudkms.locations.generateRandomBytes`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Support User (`roles/iam.supportUser`)
`cloudkms.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS CryptoKey Decrypter (`roles/cloudkms.cryptoKeyDecrypter`) Cloud KMS CryptoKey Decrypter Via Delegation (`roles/cloudkms.cryptoKeyDecrypterViaDelegation`) Cloud KMS CryptoKey Encrypter (`roles/cloudkms.cryptoKeyEncrypter`) Cloud KMS CryptoKey Encrypter/Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation`) Cloud KMS CryptoKey Encrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterViaDelegation`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Cloud KMS CryptoKey Decapsulator (`roles/cloudkms.decapsulator`) Cloud KMS Expert Raw AES-CBC Key Manager (`roles/cloudkms.expertRawAesCbc`) Cloud KMS Expert Raw AES-CTR Key Manager (`roles/cloudkms.expertRawAesCtr`) Cloud KMS Expert Raw PKCS#1 Key Manager (`roles/cloudkms.expertRawPKCS1`) Cloud KMS Importer (`roles/cloudkms.importer`) Cloud KMS CryptoKey Public Key Viewer (`roles/cloudkms.publicKeyViewer`) Cloud KMS CryptoKey Signer (`roles/cloudkms.signer`) Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Cloud KMS CryptoKey Verifier (`roles/cloudkms.verifier`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Kubernetes Engine KMS Crypto Key User (`roles/container.cloudKmsKeyUser`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`)
`cloudkms.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS CryptoKey Decrypter (`roles/cloudkms.cryptoKeyDecrypter`) Cloud KMS CryptoKey Decrypter Via Delegation (`roles/cloudkms.cryptoKeyDecrypterViaDelegation`) Cloud KMS CryptoKey Encrypter (`roles/cloudkms.cryptoKeyEncrypter`) Cloud KMS CryptoKey Encrypter/Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation`) Cloud KMS CryptoKey Encrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterViaDelegation`) Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Cloud KMS CryptoKey Decapsulator (`roles/cloudkms.decapsulator`) Cloud KMS Expert Raw AES-CBC Key Manager (`roles/cloudkms.expertRawAesCbc`) Cloud KMS Expert Raw AES-CTR Key Manager (`roles/cloudkms.expertRawAesCtr`) Cloud KMS Expert Raw PKCS#1 Key Manager (`roles/cloudkms.expertRawPKCS1`) Cloud KMS Importer (`roles/cloudkms.importer`) Cloud KMS CryptoKey Public Key Viewer (`roles/cloudkms.publicKeyViewer`) Cloud KMS CryptoKey Signer (`roles/cloudkms.signer`) Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Cloud KMS CryptoKey Verifier (`roles/cloudkms.verifier`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Kubernetes Engine KMS Crypto Key User (`roles/container.cloudKmsKeyUser`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`)
`cloudkms.locations.optOutKeyDeletionMsa`	Owner (`roles/owner`) Cloud KMS Admin (`roles/cloudkms.admin`)
`cloudkms.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) AlloyDB Admin (`roles/alloydb.admin`) Artifact Registry Administrator (`roles/artifactregistry.admin`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) Bigtable Administrator (`roles/bigtable.admin`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Autokey User (`roles/cloudkms.autokeyUser`) Cloud KMS single-tenant HSM Executor (`roles/cloudkms.hsmSingleTenantExecutor`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`) Cloud KMS single-tenant HSM Quorum Member (`roles/cloudkms.hsmSingleTenantQuorumMember`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Composer Administrator (`roles/composer.admin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Compute Admin (`roles/compute.admin`) Compute Instance Admin (beta) (`roles/compute.instanceAdmin`) Compute Instance Admin (v1) (`roles/compute.instanceAdmin.v1`) Compute Storage Admin (`roles/compute.storageAdmin`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Dataproc Administrator (`roles/dataproc.admin`) Dataproc Editor (`roles/dataproc.editor`) Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Memorystore Redis Admin (`roles/redis.admin`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Secret Manager Admin (`roles/secretmanager.admin`) Secure Source Manager Admin (`roles/securesourcemanager.admin`) Secure Source Manager Instance Owner (`roles/securesourcemanager.instanceOwner`) Cloud Spanner Admin (`roles/spanner.admin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Storage Admin (`roles/storage.admin`)
`cloudkms.projects.showEffectiveAutokeyConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) AlloyDB Admin (`roles/alloydb.admin`) Artifact Registry Administrator (`roles/artifactregistry.admin`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) Bigtable Administrator (`roles/bigtable.admin`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS Autokey Admin (`roles/cloudkms.autokeyAdmin`) Cloud KMS Autokey User (`roles/cloudkms.autokeyUser`) Cloud SQL Admin (`roles/cloudsql.admin`) Composer Administrator (`roles/composer.admin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Compute Admin (`roles/compute.admin`) Compute Instance Admin (beta) (`roles/compute.instanceAdmin`) Compute Instance Admin (v1) (`roles/compute.instanceAdmin.v1`) Compute Storage Admin (`roles/compute.storageAdmin`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Dataproc Administrator (`roles/dataproc.admin`) Dataproc Editor (`roles/dataproc.editor`) Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Memorystore Redis Admin (`roles/redis.admin`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Secret Manager Admin (`roles/secretmanager.admin`) Secure Source Manager Admin (`roles/securesourcemanager.admin`) Secure Source Manager Instance Owner (`roles/securesourcemanager.instanceOwner`) Cloud Spanner Admin (`roles/spanner.admin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Storage Admin (`roles/storage.admin`)
`cloudkms.projects.showEffectiveKajEnrollmentConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Key Access Justifications Enrollment Viewer (`roles/cloudkms.keyAccessJustificationsEnrollmentConfigViewer`) Support User (`roles/iam.supportUser`)
`cloudkms.projects.showEffectiveKajPolicyConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Key Access Justifications Policy Config Admin (`roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin`) Support User (`roles/iam.supportUser`)
`cloudkms.protectedResources.search`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Protected Resources Viewer (`roles/cloudkms.protectedResourcesViewer`) Support User (`roles/iam.supportUser`)
`cloudkms.singleTenantHsmInstanceProposals.approve`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS single-tenant HSM Quorum Member (`roles/cloudkms.hsmSingleTenantQuorumMember`)
`cloudkms.singleTenantHsmInstanceProposals.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`)
`cloudkms.singleTenantHsmInstanceProposals.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`)
`cloudkms.singleTenantHsmInstanceProposals.execute`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS single-tenant HSM Executor (`roles/cloudkms.hsmSingleTenantExecutor`)
`cloudkms.singleTenantHsmInstanceProposals.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS single-tenant HSM Executor (`roles/cloudkms.hsmSingleTenantExecutor`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`) Cloud KMS single-tenant HSM Quorum Member (`roles/cloudkms.hsmSingleTenantQuorumMember`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.singleTenantHsmInstanceProposals.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS single-tenant HSM Executor (`roles/cloudkms.hsmSingleTenantExecutor`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`) Cloud KMS single-tenant HSM Quorum Member (`roles/cloudkms.hsmSingleTenantQuorumMember`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.singleTenantHsmInstances.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`)
`cloudkms.singleTenantHsmInstances.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS single-tenant HSM Executor (`roles/cloudkms.hsmSingleTenantExecutor`) Cloud KMS single-tenant HSM Key Creator (`roles/cloudkms.hsmSingleTenantKeyCreator`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`) Cloud KMS single-tenant HSM Quorum Member (`roles/cloudkms.hsmSingleTenantQuorumMember`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.singleTenantHsmInstances.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS single-tenant HSM Executor (`roles/cloudkms.hsmSingleTenantExecutor`) Cloud KMS single-tenant HSM Key Creator (`roles/cloudkms.hsmSingleTenantKeyCreator`) Cloud KMS single-tenant HSM Proposer (`roles/cloudkms.hsmSingleTenantProposer`) Cloud KMS single-tenant HSM Quorum Member (`roles/cloudkms.hsmSingleTenantQuorumMember`) Cloud KMS Viewer (`roles/cloudkms.viewer`) Databases Admin (`roles/iam.databasesAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudkms.singleTenantHsmInstances.use`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud KMS Admin (`roles/cloudkms.admin`) Cloud KMS single-tenant HSM Key Creator (`roles/cloudkms.hsmSingleTenantKeyCreator`)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-16 UTC.

Movatterモバイル変換

Cloud Key Management Service roles and permissions Stay organized with collections Save and categorize content based on your preferences.