GKE Hub roles and permissions

This page lists the IAM roles and permissions for GKE Hub. Tosearch through all roles and permissions, see therole andpermission index.

GKE Hub roles

RolePermissions

Fleet Admin (formerly GKE Hub Admin)

(roles/gkehub.admin)

Full access to Fleet resources.

gkehub.features.*

  • gkehub.features.create
  • gkehub.features.delete
  • gkehub.features.get
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.features.setIamPolicy
  • gkehub.features.update

gkehub.fleet.*

  • gkehub.fleet.create
  • gkehub.fleet.createFreeTrial
  • gkehub.fleet.delete
  • gkehub.fleet.get
  • gkehub.fleet.getFreeTrial
  • gkehub.fleet.update
  • gkehub.fleet.updateFreeTrial

gkehub.locations.*

  • gkehub.locations.get
  • gkehub.locations.list

gkehub.membershipbindings.*

  • gkehub.membershipbindings.create
  • gkehub.membershipbindings.delete
  • gkehub.membershipbindings.get
  • gkehub.membershipbindings.list
  • gkehub.membershipbindings.update

gkehub.membershipfeatures.*

  • gkehub.membershipfeatures.create
  • gkehub.membershipfeatures.delete
  • gkehub.membershipfeatures.get
  • gkehub.membershipfeatures.list
  • gkehub.membershipfeatures.update

gkehub.memberships.*

  • gkehub.memberships.create
  • gkehub.memberships.delete
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.memberships.setIamPolicy
  • gkehub.memberships.update

gkehub.namespaces.*

  • gkehub.namespaces.create
  • gkehub.namespaces.delete
  • gkehub.namespaces.get
  • gkehub.namespaces.list
  • gkehub.namespaces.update

gkehub.operations.*

  • gkehub.operations.cancel
  • gkehub.operations.delete
  • gkehub.operations.get
  • gkehub.operations.list

gkehub.rbacrolebindings.*

  • gkehub.rbacrolebindings.create
  • gkehub.rbacrolebindings.delete
  • gkehub.rbacrolebindings.get
  • gkehub.rbacrolebindings.list
  • gkehub.rbacrolebindings.update

gkehub.scopes.*

  • gkehub.scopes.create
  • gkehub.scopes.delete
  • gkehub.scopes.get
  • gkehub.scopes.getIamPolicy
  • gkehub.scopes.list
  • gkehub.scopes.listBoundMemberships
  • gkehub.scopes.setIamPolicy
  • gkehub.scopes.update

resourcemanager.projects.get

resourcemanager.projects.list

GKE Connect Agent

(roles/gkehub.connect)

Ability to set up GKE Connect between external clusters and Google.

gkehub.endpoints.connect

GKE Hub Cross Project Service Agent

(roles/gkehub.crossProjectServiceAgent)

Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration.

Warning: Do not grant service agent roles to any principals exceptservice agents.

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Fleet Editor (formerly GKE Hub Editor)

(roles/gkehub.editor)

Edit access to Fleet resources.

gkehub.features.create

gkehub.features.delete

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.features.update

gkehub.fleet.*

  • gkehub.fleet.create
  • gkehub.fleet.createFreeTrial
  • gkehub.fleet.delete
  • gkehub.fleet.get
  • gkehub.fleet.getFreeTrial
  • gkehub.fleet.update
  • gkehub.fleet.updateFreeTrial

gkehub.locations.*

  • gkehub.locations.get
  • gkehub.locations.list

gkehub.membershipbindings.*

  • gkehub.membershipbindings.create
  • gkehub.membershipbindings.delete
  • gkehub.membershipbindings.get
  • gkehub.membershipbindings.list
  • gkehub.membershipbindings.update

gkehub.membershipfeatures.*

  • gkehub.membershipfeatures.create
  • gkehub.membershipfeatures.delete
  • gkehub.membershipfeatures.get
  • gkehub.membershipfeatures.list
  • gkehub.membershipfeatures.update

gkehub.memberships.create

gkehub.memberships.delete

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.memberships.update

gkehub.namespaces.*

  • gkehub.namespaces.create
  • gkehub.namespaces.delete
  • gkehub.namespaces.get
  • gkehub.namespaces.list
  • gkehub.namespaces.update

gkehub.operations.*

  • gkehub.operations.cancel
  • gkehub.operations.delete
  • gkehub.operations.get
  • gkehub.operations.list

gkehub.rbacrolebindings.*

  • gkehub.rbacrolebindings.create
  • gkehub.rbacrolebindings.delete
  • gkehub.rbacrolebindings.get
  • gkehub.rbacrolebindings.list
  • gkehub.rbacrolebindings.update

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

gkehub.scopes.update

resourcemanager.projects.get

resourcemanager.projects.list

Connect Gateway Admin

(roles/gkehub.gatewayAdmin)

Full access to Connect Gateway.

gkehub.gateway.*

  • gkehub.gateway.delete
  • gkehub.gateway.generateCredentials
  • gkehub.gateway.get
  • gkehub.gateway.patch
  • gkehub.gateway.post
  • gkehub.gateway.put
  • gkehub.gateway.stream

gkehub.memberships.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.values.test

Connect Gateway Editor

(roles/gkehub.gatewayEditor)

Edit access to Connect Gateway.

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.memberships.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.values.test

Connect Gateway Reader

(roles/gkehub.gatewayReader)

Read-only access to Connect Gateway.

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.memberships.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.values.test

Fleet Scope Admin

(roles/gkehub.scopeAdmin)

Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings.

gkehub.namespaces.create

gkehub.namespaces.delete

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.rbacrolebindings.*

  • gkehub.rbacrolebindings.create
  • gkehub.rbacrolebindings.delete
  • gkehub.rbacrolebindings.get
  • gkehub.rbacrolebindings.list
  • gkehub.rbacrolebindings.update

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.listBoundMemberships

gkehub.scopes.setIamPolicy

Fleet Scope Editor

(roles/gkehub.scopeEditor)

Edit access to Namespaces under Fleet Scopes.

gkehub.namespaces.create

gkehub.namespaces.delete

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.listBoundMemberships

Fleet Project-level Scope Editor

(roles/gkehub.scopeEditorProjectLevel)

Role for project-level permissions for editor of Fleet Scopes.

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.memberships.get

gkehub.operations.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.values.test

Fleet Scope Viewer

(roles/gkehub.scopeViewer)

Viewer of Fleet Scopes and associated resources.

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.listBoundMemberships

Fleet Project-level Scope Viewer

(roles/gkehub.scopeViewerProjectLevel)

Role for project-level permissions for viewer of Fleet Scopes.

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.memberships.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.values.test

GKE Hub Service Agent

(roles/gkehub.serviceAgent)

Gives the GKE Hub service agent access to Cloud Platform resources.

Warning: Do not grant service agent roles to any principals exceptservice agents.

container.clusterRoleBindings.*

  • container.clusterRoleBindings.create
  • container.clusterRoleBindings.delete
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoleBindings.update

container.clusterRoles.*

  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.escalate
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusterRoles.update

container.clusters.connect

container.clusters.get

container.clusters.list

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.get

container.operations.get

container.thirdPartyObjects.*

  • container.thirdPartyObjects.create
  • container.thirdPartyObjects.delete
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyObjects.update

gkehub.features.create

gkehub.features.get

gkehub.features.list

gkehub.fleet.create

gkehub.fleet.get

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.locations.*

  • gkehub.locations.get
  • gkehub.locations.list

gkehub.memberships.create

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.list

gkehub.operations.get

gkemulticloud.awsClusters.get

gkemulticloud.azureClusters.get

gkeonprem.bareMetalClusters.get

gkeonprem.vmwareClusters.get

logging.buckets.create

logging.buckets.get

logging.buckets.list

logging.buckets.update

logging.exclusions.*

  • logging.exclusions.create
  • logging.exclusions.delete
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.exclusions.update

logging.sinks.*

  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • logging.sinks.list
  • logging.sinks.update

logging.views.create

logging.views.get

logging.views.list

logging.views.update

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Fleet Viewer (formerly GKE Hub Viewer)

(roles/gkehub.viewer)

Read-only access to Fleets and related resources.

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.fleet.get

gkehub.fleet.getFreeTrial

gkehub.locations.*

  • gkehub.locations.get
  • gkehub.locations.list

gkehub.membershipbindings.get

gkehub.membershipbindings.list

gkehub.membershipfeatures.get

gkehub.membershipfeatures.list

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.operations.get

gkehub.operations.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

resourcemanager.projects.get

resourcemanager.projects.list

GKE Hub permissions

PermissionIncluded in roles

gkehub.endpoints.connect

Owner (roles/owner)

Velostrata Manager (roles/cloudmigration.inframanager)

Velostrata Manager Connection Agent (roles/cloudmigration.velostrataconnect)

GKE Connect Agent (roles/gkehub.connect)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.features.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.features.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.features.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.features.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.features.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.features.setIamPolicy

Owner (roles/owner)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Security Admin (roles/iam.securityAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.features.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.fleet.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.fleet.createFreeTrial

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.fleet.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.fleet.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.fleet.getFreeTrial

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.fleet.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.fleet.updateFreeTrial

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.gateway.delete

Owner (roles/owner)

Editor (roles/editor)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Connect Gateway Editor (roles/gkehub.gatewayEditor)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.gateway.generateCredentials

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Connect Gateway Editor (roles/gkehub.gatewayEditor)

Connect Gateway Reader (roles/gkehub.gatewayReader)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Fleet Project-level Scope Viewer (roles/gkehub.scopeViewerProjectLevel)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.gateway.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Connect Gateway Editor (roles/gkehub.gatewayEditor)

Connect Gateway Reader (roles/gkehub.gatewayReader)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Fleet Project-level Scope Viewer (roles/gkehub.scopeViewerProjectLevel)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.gateway.patch

Owner (roles/owner)

Editor (roles/editor)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Connect Gateway Editor (roles/gkehub.gatewayEditor)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.gateway.post

Owner (roles/owner)

Editor (roles/editor)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Connect Gateway Editor (roles/gkehub.gatewayEditor)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.gateway.put

Owner (roles/owner)

Editor (roles/editor)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Connect Gateway Editor (roles/gkehub.gatewayEditor)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.gateway.stream

Owner (roles/owner)

Editor (roles/editor)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipbindings.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipbindings.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipbindings.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipbindings.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipbindings.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipfeatures.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipfeatures.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipfeatures.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipfeatures.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.membershipfeatures.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.generateConnectManifest

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Connect Gateway Admin (roles/gkehub.gatewayAdmin)

Connect Gateway Editor (roles/gkehub.gatewayEditor)

Connect Gateway Reader (roles/gkehub.gatewayReader)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Fleet Project-level Scope Viewer (roles/gkehub.scopeViewerProjectLevel)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.setIamPolicy

Owner (roles/owner)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Security Admin (roles/iam.securityAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.memberships.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.namespaces.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.namespaces.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.namespaces.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Fleet Scope Viewer (roles/gkehub.scopeViewer)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.namespaces.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Fleet Scope Viewer (roles/gkehub.scopeViewer)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.namespaces.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.operations.cancel

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.operations.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Project-level Scope Editor (roles/gkehub.scopeEditorProjectLevel)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.rbacrolebindings.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.rbacrolebindings.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.rbacrolebindings.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Fleet Scope Viewer (roles/gkehub.scopeViewer)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.rbacrolebindings.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Fleet Scope Viewer (roles/gkehub.scopeViewer)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.rbacrolebindings.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.scopes.create

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.scopes.delete

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.scopes.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Fleet Scope Viewer (roles/gkehub.scopeViewer)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.scopes.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Fleet Scope Viewer (roles/gkehub.scopeViewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.scopes.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.scopes.listBoundMemberships

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Fleet Scope Editor (roles/gkehub.scopeEditor)

Fleet Scope Viewer (roles/gkehub.scopeViewer)

Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

gkehub.scopes.setIamPolicy

Owner (roles/owner)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Scope Admin (roles/gkehub.scopeAdmin)

Security Admin (roles/iam.securityAdmin)

gkehub.scopes.update

Owner (roles/owner)

Editor (roles/editor)

Fleet Admin (formerly GKE Hub Admin) (roles/gkehub.admin)

Fleet Editor (formerly GKE Hub Editor) (roles/gkehub.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.