Workflows roles and permissions

This page lists the IAM roles and permissions for Workflows. Tosearch through all roles and permissions, see therole andpermission index.

Workflows roles

RolePermissions

Workflows Admin

(roles/workflows.admin)

Full access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

  • workflows.callbacks.list
  • workflows.callbacks.send
  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.get
  • workflows.locations.list
  • workflows.operations.cancel
  • workflows.operations.get
  • workflows.operations.list
  • workflows.stepEntries.get
  • workflows.stepEntries.list
  • workflows.workflows.create
  • workflows.workflows.createTagBinding
  • workflows.workflows.delete
  • workflows.workflows.deleteTagBinding
  • workflows.workflows.get
  • workflows.workflows.list
  • workflows.workflows.listEffectiveTags
  • workflows.workflows.listRevision
  • workflows.workflows.listTagBindings
  • workflows.workflows.update

Workflows Editor

(roles/workflows.editor)

Read and write access to workflows and related resources, including development and debugging of workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

  • workflows.callbacks.list
  • workflows.callbacks.send
  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.get
  • workflows.locations.list
  • workflows.operations.cancel
  • workflows.operations.get
  • workflows.operations.list
  • workflows.stepEntries.get
  • workflows.stepEntries.list
  • workflows.workflows.create
  • workflows.workflows.createTagBinding
  • workflows.workflows.delete
  • workflows.workflows.deleteTagBinding
  • workflows.workflows.get
  • workflows.workflows.list
  • workflows.workflows.listEffectiveTags
  • workflows.workflows.listRevision
  • workflows.workflows.listTagBindings
  • workflows.workflows.update

Workflows Invoker

(roles/workflows.invoker)

Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.*

  • workflows.callbacks.list
  • workflows.callbacks.send

workflows.executions.*

  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list

workflows.stepEntries.*

  • workflows.stepEntries.get
  • workflows.stepEntries.list

Cloud Workflows Service Agent

(roles/workflows.serviceAgent)

Gives Cloud Workflows service account access to managed resources.

Warning: Do not grant service agent roles to any principals exceptservice agents.

container.clusters.connect

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

serviceusage.services.use

Workflows Viewer

(roles/workflows.viewer)

Read-only access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.list

workflows.executions.get

workflows.executions.list

workflows.locations.*

  • workflows.locations.get
  • workflows.locations.list

workflows.operations.get

workflows.operations.list

workflows.stepEntries.*

  • workflows.stepEntries.get
  • workflows.stepEntries.list

workflows.workflows.get

workflows.workflows.list

workflows.workflows.listEffectiveTags

workflows.workflows.listRevision

workflows.workflows.listTagBindings

Workflows permissions

PermissionIncluded in roles

workflows.callbacks.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

Workflows Viewer (roles/workflows.viewer)

workflows.callbacks.send

Owner (roles/owner)

Editor (roles/editor)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

workflows.executions.cancel

Owner (roles/owner)

Editor (roles/editor)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

workflows.executions.create

Owner (roles/owner)

Editor (roles/editor)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

workflows.executions.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

Workflows Viewer (roles/workflows.viewer)

workflows.executions.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

Workflows Viewer (roles/workflows.viewer)

workflows.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

workflows.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

workflows.operations.cancel

Owner (roles/owner)

Editor (roles/editor)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

workflows.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

workflows.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

workflows.stepEntries.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

Workflows Viewer (roles/workflows.viewer)

workflows.stepEntries.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Invoker (roles/workflows.invoker)

Workflows Viewer (roles/workflows.viewer)

workflows.workflows.create

Owner (roles/owner)

Editor (roles/editor)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

workflows.workflows.createTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

workflows.workflows.delete

Owner (roles/owner)

Editor (roles/editor)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

workflows.workflows.deleteTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

workflows.workflows.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

workflows.workflows.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

workflows.workflows.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

workflows.workflows.listRevision

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

workflows.workflows.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Workflows Viewer (roles/workflows.viewer)

workflows.workflows.update

Owner (roles/owner)

Editor (roles/editor)

Workflows Admin (roles/workflows.admin)

Workflows Editor (roles/workflows.editor)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.