Pub/Sub roles and permissions

This page lists the IAM roles and permissions for Pub/Sub. Tosearch through all roles and permissions, see therole andpermission index.

Pub/Sub roles

Role Permissions

Role	Permissions
Pub/Sub Admin (`roles/pubsub.admin`) Provides full access to topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `pubsub.` `pubsub.messageTransforms.validate` `pubsub.schemas.attach` `pubsub.schemas.commit` `pubsub.schemas.create` `pubsub.schemas.delete` `pubsub.schemas.get` `pubsub.schemas.getIamPolicy` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.rollback` `pubsub.schemas.setIamPolicy` `pubsub.schemas.validate` `pubsub.snapshots.create` `pubsub.snapshots.createTagBinding` `pubsub.snapshots.delete` `pubsub.snapshots.deleteTagBinding` `pubsub.snapshots.get` `pubsub.snapshots.getIamPolicy` `pubsub.snapshots.list` `pubsub.snapshots.listEffectiveTags` `pubsub.snapshots.listTagBindings` `pubsub.snapshots.seek` `pubsub.snapshots.setIamPolicy` `pubsub.snapshots.update` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.createTagBinding` `pubsub.subscriptions.delete` `pubsub.subscriptions.deleteTagBinding` `pubsub.subscriptions.get` `pubsub.subscriptions.getIamPolicy` `pubsub.subscriptions.list` `pubsub.subscriptions.listEffectiveTags` `pubsub.subscriptions.listTagBindings` `pubsub.subscriptions.setIamPolicy` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.createTagBinding` `pubsub.topics.delete` `pubsub.topics.deleteTagBinding` `pubsub.topics.detachSubscription` `pubsub.topics.get` `pubsub.topics.getIamPolicy` `pubsub.topics.list` `pubsub.topics.listEffectiveTags` `pubsub.topics.listTagBindings` `pubsub.topics.publish` `pubsub.topics.setIamPolicy` `pubsub.topics.update` `pubsub.topics.updateTag` `resourcemanager.projects.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.*` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Pub/Sub Editor (`roles/pubsub.editor`) Provides access to modify topics and subscriptions, and access to publishand consume messages. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `pubsub.messageTransforms.validate` `pubsub.schemas.attach` `pubsub.schemas.commit` `pubsub.schemas.create` `pubsub.schemas.delete` `pubsub.schemas.get` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.rollback` `pubsub.schemas.validate` `pubsub.snapshots.create` `pubsub.snapshots.createTagBinding` `pubsub.snapshots.delete` `pubsub.snapshots.deleteTagBinding` `pubsub.snapshots.get` `pubsub.snapshots.list` `pubsub.snapshots.listEffectiveTags` `pubsub.snapshots.listTagBindings` `pubsub.snapshots.seek` `pubsub.snapshots.update` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.createTagBinding` `pubsub.subscriptions.delete` `pubsub.subscriptions.deleteTagBinding` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.subscriptions.listEffectiveTags` `pubsub.subscriptions.listTagBindings` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.createTagBinding` `pubsub.topics.delete` `pubsub.topics.deleteTagBinding` `pubsub.topics.detachSubscription` `pubsub.topics.get` `pubsub.topics.list` `pubsub.topics.listEffectiveTags` `pubsub.topics.listTagBindings` `pubsub.topics.publish` `pubsub.topics.update` `pubsub.topics.updateTag` `resourcemanager.projects.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Pub/Sub Publisher (`roles/pubsub.publisher`) Provides access to publish messages to a topic. Lowest-level resources where you can grant this role: Topic	`pubsub.topics.publish`
Cloud Pub/Sub Service Agent (`roles/pubsub.serviceAgent`) Grants Cloud Pub/Sub Service Account access to manage resources. Warning: Do not grant service agent roles to any principals except service agents.	`iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.implicitDelegation` `iam.serviceAccounts.list` `iam.serviceAccounts.signBlob` `iam.serviceAccounts.signJwt` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.use`
Pub/Sub Subscriber (`roles/pubsub.subscriber`) Provides access to consume messages from a subscription and to attachsubscriptions to a topic. Lowest-level resources where you can grant this role: Snapshot Subscription Topic	`pubsub.snapshots.seek` `pubsub.subscriptions.consume` `pubsub.topics.attachSubscription`
Pub/Sub Viewer (`roles/pubsub.viewer`) Provides access to view topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`pubsub.messageTransforms.validate` `pubsub.schemas.get` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.validate` `pubsub.snapshots.get` `pubsub.snapshots.list` `pubsub.snapshots.listEffectiveTags` `pubsub.snapshots.listTagBindings` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.subscriptions.listEffectiveTags` `pubsub.subscriptions.listTagBindings` `pubsub.topics.get` `pubsub.topics.list` `pubsub.topics.listEffectiveTags` `pubsub.topics.listTagBindings` `resourcemanager.projects.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.*` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`

Pub/Sub Admin

(roles/pubsub.admin)

Provides full access to topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

pubsub.*

pubsub.messageTransforms.validate
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.setIamPolicy
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.createTagBinding
pubsub.snapshots.delete
pubsub.snapshots.deleteTagBinding
pubsub.snapshots.get
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.listEffectiveTags
pubsub.snapshots.listTagBindings
pubsub.snapshots.seek
pubsub.snapshots.setIamPolicy
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.createTagBinding
pubsub.subscriptions.delete
pubsub.subscriptions.deleteTagBinding
pubsub.subscriptions.get
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.listEffectiveTags
pubsub.subscriptions.listTagBindings
pubsub.subscriptions.setIamPolicy
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.createTagBinding
pubsub.topics.delete
pubsub.topics.deleteTagBinding
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.listEffectiveTags
pubsub.topics.listTagBindings
pubsub.topics.publish
pubsub.topics.setIamPolicy
pubsub.topics.update
pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Pub/Sub Editor

(roles/pubsub.editor)

Provides access to modify topics and subscriptions, and access to publishand consume messages.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

pubsub.messageTransforms.validate

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.createTagBinding

pubsub.snapshots.delete

pubsub.snapshots.deleteTagBinding

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.listEffectiveTags

pubsub.snapshots.listTagBindings

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.createTagBinding

pubsub.subscriptions.delete

pubsub.subscriptions.deleteTagBinding

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.listEffectiveTags

pubsub.subscriptions.listTagBindings

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.createTagBinding

pubsub.topics.delete

pubsub.topics.deleteTagBinding

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.listEffectiveTags

pubsub.topics.listTagBindings

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Pub/Sub Publisher

(roles/pubsub.publisher)

Provides access to publish messages to a topic.

Lowest-level resources where you can grant this role:

Topic

pubsub.topics.publish

Cloud Pub/Sub Service Agent

(roles/pubsub.serviceAgent)

Grants Cloud Pub/Sub Service Account access to manage resources.

Warning: Do not grant service agent roles to any principals except service agents.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Pub/Sub Subscriber

(roles/pubsub.subscriber)

Provides access to consume messages from a subscription and to attachsubscriptions to a topic.

Lowest-level resources where you can grant this role:

Snapshot
Subscription
Topic

pubsub.snapshots.seek

pubsub.subscriptions.consume

pubsub.topics.attachSubscription

Pub/Sub Viewer

(roles/pubsub.viewer)

Provides access to view topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.messageTransforms.validate

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.listEffectiveTags

pubsub.snapshots.listTagBindings

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.listEffectiveTags

pubsub.subscriptions.listTagBindings

pubsub.topics.get

pubsub.topics.list

pubsub.topics.listEffectiveTags

pubsub.topics.listTagBindings

resourcemanager.projects.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Pub/Sub permissions

Permission	Included in roles
`pubsub.messageTransforms.validate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.attach`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.schemas.commit`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.create`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.listRevisions`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.rollback`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.validate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.create`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.createTagBinding`	Owner (`roles/owner`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`pubsub.snapshots.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.deleteTagBinding`	Owner (`roles/owner`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`pubsub.snapshots.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.seek`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Composer Worker (`roles/composer.worker`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.update`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.subscriptions.consume`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Assured OSS Admin (`roles/assuredoss.admin`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Security Center Admin (`roles/securitycenter.admin`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.subscriptions.createTagBinding`	Owner (`roles/owner`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`pubsub.subscriptions.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.subscriptions.deleteTagBinding`	Owner (`roles/owner`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`pubsub.subscriptions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.subscriptions.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured OSS Admin (`roles/assuredoss.admin`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Security Center Admin (`roles/securitycenter.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.attachSubscription`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.createTagBinding`	Owner (`roles/owner`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`pubsub.topics.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.topics.deleteTagBinding`	Owner (`roles/owner`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`pubsub.topics.detachSubscription`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.topics.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Viewer (`roles/datacatalog.viewer`) Firebase Rules System (`roles/firebaserules.system`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.topics.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Firebase Rules System (`roles/firebaserules.system`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.topics.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.topics.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.topics.publish`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Composer Worker (`roles/composer.worker`) Firebase Rules System (`roles/firebaserules.system`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Publisher (`roles/pubsub.publisher`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Google Batch Service Agent (`roles/batch.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Firebase Realtime Database Service Agent (`roles/firebasedatabase.serviceAgent`) Genomics Service Agent (`roles/genomics.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Cloud Life Sciences Service Agent (`roles/lifesciences.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Pub/Sub Lite Service Agent (`roles/pubsublite.serviceAgent`) Security Center Notification Service Agent (`roles/securitycenter.notificationServiceAgent`) Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Cloud Source Repositories Service Agent (`roles/sourcerepo.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Artifact Registry Service Agent (`roles/artifactregistry.serviceAgent`)
`pubsub.topics.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.topics.update`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.topics.updateTag`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.

Movatterモバイル変換

Pub/Sub roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Pub/Sub roles

Pub/Sub Admin

Pub/Sub Editor

Pub/Sub Publisher

Cloud Pub/Sub Service Agent

Pub/Sub Subscriber

Pub/Sub Viewer

Pub/Sub permissions

pubsub.messageTransforms.validate

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.getIamPolicy

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.setIamPolicy

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.createTagBinding

pubsub.snapshots.delete

pubsub.snapshots.deleteTagBinding

pubsub.snapshots.get

pubsub.snapshots.getIamPolicy

pubsub.snapshots.list

pubsub.snapshots.listEffectiveTags

pubsub.snapshots.listTagBindings

pubsub.snapshots.seek

pubsub.snapshots.setIamPolicy

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.createTagBinding

pubsub.subscriptions.delete

pubsub.subscriptions.deleteTagBinding

pubsub.subscriptions.get

pubsub.subscriptions.getIamPolicy

pubsub.subscriptions.list

pubsub.subscriptions.listEffectiveTags

pubsub.subscriptions.listTagBindings

pubsub.subscriptions.setIamPolicy

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.createTagBinding

pubsub.topics.delete

pubsub.topics.deleteTagBinding

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.listEffectiveTags

pubsub.topics.listTagBindings

pubsub.topics.publish

pubsub.topics.setIamPolicy

pubsub.topics.update

pubsub.topics.updateTag

Pub/Sub roles and permissions

`pubsub.messageTransforms.validate`

`pubsub.schemas.attach`

`pubsub.schemas.commit`

`pubsub.schemas.create`

`pubsub.schemas.delete`

`pubsub.schemas.get`

`pubsub.schemas.getIamPolicy`

`pubsub.schemas.list`

`pubsub.schemas.listRevisions`

`pubsub.schemas.rollback`

`pubsub.schemas.setIamPolicy`

`pubsub.schemas.validate`

`pubsub.snapshots.create`

`pubsub.snapshots.createTagBinding`

`pubsub.snapshots.delete`

`pubsub.snapshots.deleteTagBinding`

`pubsub.snapshots.get`

`pubsub.snapshots.getIamPolicy`

`pubsub.snapshots.list`

`pubsub.snapshots.listEffectiveTags`

`pubsub.snapshots.listTagBindings`

`pubsub.snapshots.seek`

`pubsub.snapshots.setIamPolicy`

`pubsub.snapshots.update`

`pubsub.subscriptions.consume`

`pubsub.subscriptions.create`

`pubsub.subscriptions.createTagBinding`

`pubsub.subscriptions.delete`

`pubsub.subscriptions.deleteTagBinding`

`pubsub.subscriptions.get`

`pubsub.subscriptions.getIamPolicy`

`pubsub.subscriptions.list`

`pubsub.subscriptions.listEffectiveTags`

`pubsub.subscriptions.listTagBindings`

`pubsub.subscriptions.setIamPolicy`

`pubsub.subscriptions.update`

`pubsub.topics.attachSubscription`

`pubsub.topics.create`

`pubsub.topics.createTagBinding`

`pubsub.topics.delete`

`pubsub.topics.deleteTagBinding`

`pubsub.topics.detachSubscription`

`pubsub.topics.get`

`pubsub.topics.getIamPolicy`

`pubsub.topics.list`

`pubsub.topics.listEffectiveTags`

`pubsub.topics.listTagBindings`

`pubsub.topics.publish`

`pubsub.topics.setIamPolicy`

`pubsub.topics.update`

`pubsub.topics.updateTag`