Confidential Computing roles and permissions

This page lists the IAM roles and permissions for Confidential Computing. Tosearch through all roles and permissions, see therole andpermission index.

Confidential Computing roles

RolePermissions

Confidential Space Workload User

(roles/confidentialcomputing.workloadUser)

Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.

confidentialcomputing.*

  • confidentialcomputing.challenges.create
  • confidentialcomputing.challenges.verify
  • confidentialcomputing.locations.get
  • confidentialcomputing.locations.list

logging.logEntries.create

Confidential Computing permissions

PermissionIncluded in roles

confidentialcomputing.challenges.create

Owner (roles/owner)

Editor (roles/editor)

Confidential Space Workload User (roles/confidentialcomputing.workloadUser)

confidentialcomputing.challenges.verify

Owner (roles/owner)

Editor (roles/editor)

Confidential Space Workload User (roles/confidentialcomputing.workloadUser)

confidentialcomputing.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Confidential Space Workload User (roles/confidentialcomputing.workloadUser)

Support User (roles/iam.supportUser)

confidentialcomputing.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Confidential Space Workload User (roles/confidentialcomputing.workloadUser)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.