Identity-Aware Proxy roles and permissions

This page lists the IAM roles and permissions for Identity-Aware Proxy. Tosearch through all roles and permissions, see therole andpermission index.

Identity-Aware Proxy roles

Role Permissions

Role	Permissions
IAP Policy Admin (`roles/iap.admin`) Provides full access to Identity-Aware Proxy resources.	`iap.tunnel.` `iap.tunnel.getIamPolicy` `iap.tunnel.setIamPolicy` `iap.tunnelDestGroups.getIamPolicy` `iap.tunnelDestGroups.setIamPolicy` `iap.tunnelInstances.getIamPolicy` `iap.tunnelInstances.setIamPolicy` `iap.tunnelLocations.` `iap.tunnelLocations.getIamPolicy` `iap.tunnelLocations.setIamPolicy` `iap.tunnelZones.*` `iap.tunnelZones.getIamPolicy` `iap.tunnelZones.setIamPolicy` `iap.web.getIamPolicy` `iap.web.setIamPolicy` `iap.webServiceVersions.getIamPolicy` `iap.webServiceVersions.setIamPolicy` `iap.webServices.getIamPolicy` `iap.webServices.setIamPolicy` `iap.webTypes.getIamPolicy` `iap.webTypes.setIamPolicy`
IAP-secured Web App User (`roles/iap.httpsResourceAccessor`) Provides permission to access HTTPS resources which use Identity-Aware Proxy.	`iap.webServiceVersions.accessViaIAP`
IAP-secured Resource Remediator User^Beta (`roles/iap.remediatorUser`) Remediate IAP resource	`iap.tunnelDestGroups.remediate` `iap.tunnelinstances.remediate` `iap.webServiceVersions.remediate`
IAP Settings Admin (`roles/iap.settingsAdmin`) Administrator of IAP Settings.	`iap.projects.*` `iap.projects.getSettings` `iap.projects.updateSettings` `iap.web.getSettings` `iap.web.updateSettings` `iap.webServiceVersions.getSettings` `iap.webServiceVersions.updateSettings` `iap.webServices.getSettings` `iap.webServices.updateSettings` `iap.webTypes.getSettings` `iap.webTypes.updateSettings`
IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`) Edit Tunnel Destination Group resources which use Identity-Aware Proxy	`iap.tunnelDestGroups.create` `iap.tunnelDestGroups.delete` `iap.tunnelDestGroups.get` `iap.tunnelDestGroups.list` `iap.tunnelDestGroups.update`
IAP-secured Tunnel Destination Group Viewer (`roles/iap.tunnelDestGroupViewer`) View Tunnel Destination Group resources which use Identity-Aware Proxy	`iap.tunnelDestGroups.get` `iap.tunnelDestGroups.list`
IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`) Access Tunnel resources which use Identity-Aware Proxy	`iap.tunnelDestGroups.accessViaIAP` `iap.tunnelInstances.accessViaIAP`

IAP Policy Admin

(roles/iap.admin)

Provides full access to Identity-Aware Proxy resources.

iap.tunnel.*

iap.tunnel.getIamPolicy
iap.tunnel.setIamPolicy

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.*

iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy

iap.tunnelZones.*

iap.tunnelZones.getIamPolicy
iap.tunnelZones.setIamPolicy

iap.web.getIamPolicy

iap.web.setIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

IAP-secured Web App User

(roles/iap.httpsResourceAccessor)

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

iap.webServiceVersions.accessViaIAP

IAP-secured Resource Remediator User^Beta

(roles/iap.remediatorUser)

Remediate IAP resource

iap.tunnelDestGroups.remediate

iap.tunnelinstances.remediate

iap.webServiceVersions.remediate

IAP Settings Admin

(roles/iap.settingsAdmin)

Administrator of IAP Settings.

iap.projects.*

iap.projects.getSettings
iap.projects.updateSettings

iap.web.getSettings

iap.web.updateSettings

iap.webServiceVersions.getSettings

iap.webServiceVersions.updateSettings

iap.webServices.getSettings

iap.webServices.updateSettings

iap.webTypes.getSettings

iap.webTypes.updateSettings

IAP-secured Tunnel Destination Group Editor

(roles/iap.tunnelDestGroupEditor)

Edit Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.create

iap.tunnelDestGroups.delete

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

iap.tunnelDestGroups.update

IAP-secured Tunnel Destination Group Viewer

(roles/iap.tunnelDestGroupViewer)

View Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

IAP-secured Tunnel User

(roles/iap.tunnelResourceAccessor)

Access Tunnel resources which use Identity-Aware Proxy

iap.tunnelDestGroups.accessViaIAP

iap.tunnelInstances.accessViaIAP

Identity-Aware Proxy permissions

Permission	Included in roles
`iap.projects.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.projects.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.tunnel.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnel.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelDestGroups.accessViaIAP`	Owner (`roles/owner`) IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`)
`iap.tunnelDestGroups.create`	Owner (`roles/owner`) Editor (`roles/editor`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`)
`iap.tunnelDestGroups.delete`	Owner (`roles/owner`) Editor (`roles/editor`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`)
`iap.tunnelDestGroups.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`) IAP-secured Tunnel Destination Group Viewer (`roles/iap.tunnelDestGroupViewer`)
`iap.tunnelDestGroups.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelDestGroups.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`) IAP-secured Tunnel Destination Group Viewer (`roles/iap.tunnelDestGroupViewer`)
`iap.tunnelDestGroups.remediate`	Owner (`roles/owner`) IAP-secured Resource Remediator User (`roles/iap.remediatorUser`)
`iap.tunnelDestGroups.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelDestGroups.update`	Owner (`roles/owner`) Editor (`roles/editor`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`)
`iap.tunnelInstances.accessViaIAP`	Owner (`roles/owner`) IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`)
`iap.tunnelInstances.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelInstances.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelLocations.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelLocations.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelZones.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelZones.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelinstances.remediate`	Owner (`roles/owner`) IAP-secured Resource Remediator User (`roles/iap.remediatorUser`)
`iap.web.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.web.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.web.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.web.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServiceVersions.accessViaIAP`	IAP-secured Web App User (`roles/iap.httpsResourceAccessor`)
`iap.webServiceVersions.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServiceVersions.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServiceVersions.remediate`	Owner (`roles/owner`) IAP-secured Resource Remediator User (`roles/iap.remediatorUser`)
`iap.webServiceVersions.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServiceVersions.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServices.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServices.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServices.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServices.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webTypes.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.webTypes.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webTypes.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.webTypes.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Identity-Aware Proxy roles and permissions Stay organized with collections Save and categorize content based on your preferences.