Cloud Workstations roles and permissions

This page lists the IAM roles and permissions for Cloud Workstations. Tosearch through all roles and permissions, see therole andpermission index.

Cloud Workstations roles

Role Permissions

Role	Permissions
Cloud Workstations Admin (`roles/workstations.admin`) Grants CRUD access to all Workstation resources.	`compute.acceleratorTypes.` `compute.acceleratorTypes.get` `compute.acceleratorTypes.list` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.subnetworks.get` `compute.subnetworks.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `workstations.operations.` `workstations.operations.get` `workstations.operations.list` `workstations.workstationClusters.` `workstations.workstationClusters.create` `workstations.workstationClusters.createTagBinding` `workstations.workstationClusters.delete` `workstations.workstationClusters.deleteTagBinding` `workstations.workstationClusters.get` `workstations.workstationClusters.list` `workstations.workstationClusters.listEffectiveTags` `workstations.workstationClusters.listTagBindings` `workstations.workstationClusters.update` `workstations.workstationConfigs.` `workstations.workstationConfigs.create` `workstations.workstationConfigs.delete` `workstations.workstationConfigs.get` `workstations.workstationConfigs.getIamPolicy` `workstations.workstationConfigs.list` `workstations.workstationConfigs.setIamPolicy` `workstations.workstationConfigs.update` `workstations.workstations.create` `workstations.workstations.delete` `workstations.workstations.get` `workstations.workstations.getIamPolicy` `workstations.workstations.list` `workstations.workstations.setIamPolicy` `workstations.workstations.start` `workstations.workstations.stop` `workstations.workstations.update`
Cloud Workstations Network Admin (`roles/workstations.networkAdmin`) Grants ability to connect a Workstation Cluster to a shared VPC network.	`compute.addresses.create` `compute.addresses.createInternal` `compute.addresses.delete` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.use` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.get` `compute.forwardingRules.pscCreate` `compute.forwardingRules.pscDelete` `compute.globalOperations.get` `compute.networks.get` `compute.networks.updatePolicy` `compute.networks.use` `compute.networks.useExternalIp` `compute.regionOperations.get` `compute.subnetworks.get` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.zoneOperations.get` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.services.create` `servicedirectory.services.delete`
Cloud Workstations Operation Viewer (`roles/workstations.operationViewer`) Grants ability to view Cloud Workstations API operations.	`workstations.operations.get`
Cloud Workstations Policy Admin (`roles/workstations.policyAdmin`) Grants permission to set IAM policy on workstation.	`workstations.workstations.getIamPolicy` `workstations.workstations.setIamPolicy`
Workstations Service Agent (`roles/workstations.serviceAgent`) Grants the Workstations Service Account access to manage resources in consumer project. Warning: Do not grant service agent roles to any principals except service agents.	`compute.addresses.create` `compute.addresses.createInternal` `compute.addresses.delete` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.use` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.createTagBinding` `compute.disks.delete` `compute.disks.deleteTagBinding` `compute.disks.get` `compute.disks.list` `compute.disks.resize` `compute.disks.setLabels` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.create` `compute.firewalls.delete` `compute.firewalls.get` `compute.firewalls.update` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.get` `compute.forwardingRules.pscCreate` `compute.forwardingRules.pscDelete` `compute.globalOperations.get` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.deleteTagBinding` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.getGuestAttributes` `compute.instances.getSerialPortOutput` `compute.instances.setLabels` `compute.instances.setMetadata` `compute.instances.setServiceAccount` `compute.instances.setTags` `compute.networks.addPeering` `compute.networks.get` `compute.networks.removePeering` `compute.networks.updatePolicy` `compute.networks.use` `compute.networks.useExternalIp` `compute.regionOperations.get` `compute.regions.get` `compute.reservations.get` `compute.snapshots.create` `compute.snapshots.createTagBinding` `compute.snapshots.delete` `compute.snapshots.deleteTagBinding` `compute.snapshots.get` `compute.snapshots.listTagBindings` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.subnetworks.get` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.zoneOperations.get` `dns.networks.bindPrivateDNSZone` `dns.networks.targetWithPeeringZone` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.tagValueBindings.*` `resourcemanager.tagValueBindings.create` `resourcemanager.tagValueBindings.delete` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.services.create` `servicedirectory.services.delete` `serviceusage.services.get`
Cloud Workstations User (`roles/workstations.user`) Grants runtime access to Workstation resources.	`workstations.operations.*` `workstations.operations.get` `workstations.operations.list` `workstations.workstations.delete` `workstations.workstations.get` `workstations.workstations.start` `workstations.workstations.stop` `workstations.workstations.update` `workstations.workstations.use`
Cloud Workstations Creator (`roles/workstations.workstationCreator`) Grants ability to create Workstation resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `workstations.operations.*` `workstations.operations.get` `workstations.operations.list` `workstations.workstationClusters.get` `workstations.workstationClusters.list` `workstations.workstationConfigs.get` `workstations.workstations.create`
Cloud Workstations Limit Exempted Creator (`roles/workstations.workstationLimitExemptedCreator`) Grants ability to create workstations with exemption from max_usable_workstations Limit.	`resourcemanager.projects.get` `resourcemanager.projects.list` `workstations.operations.*` `workstations.operations.get` `workstations.operations.list` `workstations.workstationConfigs.get` `workstations.workstations.create`

Cloud Workstations Admin

(roles/workstations.admin)

Grants CRUD access to all Workstation resources.

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.subnetworks.get

compute.subnetworks.list

compute.zones.*

compute.zones.get
compute.zones.list

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.*

workstations.operations.get
workstations.operations.list

workstations.workstationClusters.*

workstations.workstationClusters.create
workstations.workstationClusters.createTagBinding
workstations.workstationClusters.delete
workstations.workstationClusters.deleteTagBinding
workstations.workstationClusters.get
workstations.workstationClusters.list
workstations.workstationClusters.listEffectiveTags
workstations.workstationClusters.listTagBindings
workstations.workstationClusters.update

workstations.workstationConfigs.*

workstations.workstationConfigs.create
workstations.workstationConfigs.delete
workstations.workstationConfigs.get
workstations.workstationConfigs.getIamPolicy
workstations.workstationConfigs.list
workstations.workstationConfigs.setIamPolicy
workstations.workstationConfigs.update

workstations.workstations.create

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.getIamPolicy

workstations.workstations.list

workstations.workstations.setIamPolicy

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

Cloud Workstations Network Admin

(roles/workstations.networkAdmin)

Grants ability to connect a Workstation Cluster to a shared VPC network.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Cloud Workstations Operation Viewer

(roles/workstations.operationViewer)

Grants ability to view Cloud Workstations API operations.

workstations.operations.get

Cloud Workstations Policy Admin

(roles/workstations.policyAdmin)

Grants permission to set IAM policy on workstation.

workstations.workstations.getIamPolicy

workstations.workstations.setIamPolicy

Workstations Service Agent

(roles/workstations.serviceAgent)

Grants the Workstations Service Account access to manage resources in consumer project.

Warning: Do not grant service agent roles to any principals except service agents.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.deleteTagBinding

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.update

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.deleteTagBinding

compute.instances.detachDisk

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getSerialPortOutput

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.regions.get

compute.reservations.get

compute.snapshots.create

compute.snapshots.createTagBinding

compute.snapshots.delete

compute.snapshots.deleteTagBinding

compute.snapshots.get

compute.snapshots.listTagBindings

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.tagValueBindings.*

resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

serviceusage.services.get

Cloud Workstations User

(roles/workstations.user)

Grants runtime access to Workstation resources.

workstations.operations.*

workstations.operations.get
workstations.operations.list

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

workstations.workstations.use

Cloud Workstations Creator

(roles/workstations.workstationCreator)

Grants ability to create Workstation resources.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.*

workstations.operations.get
workstations.operations.list

workstations.workstationClusters.get

workstations.workstationClusters.list

workstations.workstationConfigs.get

workstations.workstations.create

Cloud Workstations Limit Exempted Creator

(roles/workstations.workstationLimitExemptedCreator)

Grants ability to create workstations with exemption from max_usable_workstations Limit.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.*

workstations.operations.get
workstations.operations.list

workstations.workstationConfigs.get

workstations.workstations.create

Cloud Workstations permissions

Permission	Included in roles
`workstations.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations Operation Viewer (`roles/workstations.operationViewer`) Cloud Workstations User (`roles/workstations.user`) Cloud Workstations Creator (`roles/workstations.workstationCreator`) Cloud Workstations Limit Exempted Creator (`roles/workstations.workstationLimitExemptedCreator`)
`workstations.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations User (`roles/workstations.user`) Cloud Workstations Creator (`roles/workstations.workstationCreator`) Cloud Workstations Limit Exempted Creator (`roles/workstations.workstationLimitExemptedCreator`)
`workstations.workstationClusters.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationClusters.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationClusters.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationClusters.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationClusters.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations Creator (`roles/workstations.workstationCreator`)
`workstations.workstationClusters.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations Creator (`roles/workstations.workstationCreator`)
`workstations.workstationClusters.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationClusters.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationClusters.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationConfigs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationConfigs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations Creator (`roles/workstations.workstationCreator`) Cloud Workstations Limit Exempted Creator (`roles/workstations.workstationLimitExemptedCreator`)
`workstations.workstationConfigs.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationConfigs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationConfigs.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstationConfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstations.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations Creator (`roles/workstations.workstationCreator`) Cloud Workstations Limit Exempted Creator (`roles/workstations.workstationLimitExemptedCreator`)
`workstations.workstations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations User (`roles/workstations.user`)
`workstations.workstations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations User (`roles/workstations.user`)
`workstations.workstations.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations Policy Admin (`roles/workstations.policyAdmin`)
`workstations.workstations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Cloud Workstations Admin (`roles/workstations.admin`)
`workstations.workstations.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations Policy Admin (`roles/workstations.policyAdmin`)
`workstations.workstations.start`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations User (`roles/workstations.user`)
`workstations.workstations.stop`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations User (`roles/workstations.user`)
`workstations.workstations.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Workstations Admin (`roles/workstations.admin`) Cloud Workstations User (`roles/workstations.user`)
`workstations.workstations.use`	Cloud Workstations User (`roles/workstations.user`)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.

Movatterモバイル変換

Cloud Workstations roles and permissions