Cloud Workstations roles and permissions

This page lists the IAM roles and permissions for Cloud Workstations. Tosearch through all roles and permissions, see therole andpermission index.

Cloud Workstations roles

RolePermissions

Cloud Workstations Admin

(roles/workstations.admin)

Grants CRUD access to all Workstation resources.

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.subnetworks.get

compute.subnetworks.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.*

  • workstations.operations.get
  • workstations.operations.list

workstations.workstationClusters.*

  • workstations.workstationClusters.create
  • workstations.workstationClusters.createTagBinding
  • workstations.workstationClusters.delete
  • workstations.workstationClusters.deleteTagBinding
  • workstations.workstationClusters.get
  • workstations.workstationClusters.list
  • workstations.workstationClusters.listEffectiveTags
  • workstations.workstationClusters.listTagBindings
  • workstations.workstationClusters.update

workstations.workstationConfigs.*

  • workstations.workstationConfigs.create
  • workstations.workstationConfigs.delete
  • workstations.workstationConfigs.get
  • workstations.workstationConfigs.getIamPolicy
  • workstations.workstationConfigs.list
  • workstations.workstationConfigs.setIamPolicy
  • workstations.workstationConfigs.update

workstations.workstations.create

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.getIamPolicy

workstations.workstations.list

workstations.workstations.setIamPolicy

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

Cloud Workstations Network Admin

(roles/workstations.networkAdmin)

Grants ability to connect a Workstation Cluster to a shared VPC network.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Cloud Workstations Operation Viewer

(roles/workstations.operationViewer)

Grants ability to view Cloud Workstations API operations.

workstations.operations.get

Cloud Workstations Policy Admin

(roles/workstations.policyAdmin)

Grants permission to set IAM policy on workstation.

workstations.workstations.getIamPolicy

workstations.workstations.setIamPolicy

Workstations Service Agent

(roles/workstations.serviceAgent)

Grants the Workstations Service Account access to manage resources in consumer project.

Warning: Do not grant service agent roles to any principals exceptservice agents.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.deleteTagBinding

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.update

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.deleteTagBinding

compute.instances.detachDisk

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getSerialPortOutput

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.regions.get

compute.reservations.get

compute.snapshots.create

compute.snapshots.createTagBinding

compute.snapshots.delete

compute.snapshots.deleteTagBinding

compute.snapshots.get

compute.snapshots.listTagBindings

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.tagValueBindings.*

  • resourcemanager.tagValueBindings.create
  • resourcemanager.tagValueBindings.delete

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

serviceusage.services.get

Cloud Workstations User

(roles/workstations.user)

Grants runtime access to Workstation resources.

workstations.operations.*

  • workstations.operations.get
  • workstations.operations.list

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

workstations.workstations.use

Cloud Workstations Creator

(roles/workstations.workstationCreator)

Grants ability to create Workstation resources.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.*

  • workstations.operations.get
  • workstations.operations.list

workstations.workstationClusters.get

workstations.workstationClusters.list

workstations.workstationConfigs.get

workstations.workstations.create

Cloud Workstations Limit Exempted Creator

(roles/workstations.workstationLimitExemptedCreator)

Grants ability to create workstations with exemption from max_usable_workstations Limit.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.*

  • workstations.operations.get
  • workstations.operations.list

workstations.workstationConfigs.get

workstations.workstations.create

Cloud Workstations permissions

PermissionIncluded in roles

workstations.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Operation Viewer (roles/workstations.operationViewer)

Cloud Workstations User (roles/workstations.user)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator)

workstations.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator)

workstations.workstationClusters.create

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationClusters.createTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationClusters.delete

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationClusters.deleteTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationClusters.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

workstations.workstationClusters.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

workstations.workstationClusters.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationClusters.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationClusters.update

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationConfigs.create

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationConfigs.delete

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationConfigs.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator)

workstations.workstationConfigs.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationConfigs.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationConfigs.setIamPolicy

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstationConfigs.update

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstations.create

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator)

workstations.workstations.delete

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

workstations.workstations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

workstations.workstations.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Policy Admin (roles/workstations.policyAdmin)

workstations.workstations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Cloud Workstations Admin (roles/workstations.admin)

workstations.workstations.setIamPolicy

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Policy Admin (roles/workstations.policyAdmin)

workstations.workstations.start

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

workstations.workstations.stop

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

workstations.workstations.update

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

workstations.workstations.use

Cloud Workstations User (roles/workstations.user)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.