IAM roles and permissions

This page describes Developer Connect roles and permissions.

Access control in Developer Connect is controlled usingIdentity and Access Management (IAM). IAM lets you create andmanage permissions for Google Cloud resources. Developer Connect provides aspecific set ofpredefined IAM roleswhere each role contains a set of permissions suited to a particular type ofaccess or action. We recommend that you adopt thesecurity principle of least privilege,and grant only the necessary access to your resources.

Predefined Developer Connect roles

You assign permissions to accounts through the use of roles. The following tablelists the roles available for Developer Connect and the permissions thatthey include:

RolePermissions

Name:developerconnect.admin

Title: Developer Connect Admin

Grants full access to Developer Connect resources.

developerconnect.operations.delete

developerconnect.operations.cancel

developerconnect.connections.create

developerconnect.connections.update

developerconnect.connections.delete

developerconnect.connections.constructGitHubAppManifest

developerconnect.connections.processGitHubOAuthCallback

developerconnect.connections.processGitHubAppCreationCallback

developerconnect.connections.generateGitHubStateToken

developerconnect.accountConnectors.create

developerconnect.accountConnectors.update

developerconnect.accountConnectors.delete

developerconnect.accountConnectors.get

developerconnect.accountConnectors.list

developerconnect.gitRepositoryLinks.create

developerconnect.gitRepositoryLinks.delete


Name:developerconnect.readTokenAccessor

Title: Developer Connect Read Token Accessor

Grants access to read-only tokens. Also grants access to view the Git repository link.

developerconnect.connections.get

developerconnect.gitRepositoryLinks.get

developerconnect.gitRepositoryLinks.fetchReadToken



Name:developerconnect.tokenAccessor

Title: Developer Connect Token Accessor

Grants access to read/write and read-only tokens. Also grants access to view the Git repository link.

developerconnect.connections.get

developerconnect.gitRepositoryLinks.get

developerconnect.gitRepositoryLinks.fetchReadToken

developerconnect.gitRepositoryLinks.fetchReadWriteToken


Name:developerconnect.user

Title: Developer Connect User

Grants access to view the connection and access to the features that interact with the Git repository, such as reading content from the Git repository, or linking to the Git repository.


developerconnect.connections.fetchGitHubInstallations

developerconnect.connections.fetchLinkableGitRepositories

developerconnect.gitRepositoryLinks.fetchGitRefs

Name:developerconnect.viewer

Title: Developer Connect Viewer

Grants read-only access to Developer Connect resources.

resourcemanager.projects.get

resourcemanager.projects.list

developerconnect.operations.list

developerconnect.operations.get

developerconnect.locations.list

developerconnect.locations.get

developerconnect.connections.list

developerconnect.connections.get

developerconnect.accountConnectors.get

developerconnect.accountConnectors.list

developerconnect.gitRepositoryLinks.list

developerconnect.gitRepositoryLinks.get


Name:developerconnect.gitProxyReader

Title: Developer Connect Git Proxy Reader

Grants read-only access to repositories through the Git proxy.


developerconnect.gitRepositoryLinks.gitProxyRead


Name:developerconnect.gitProxyUser

Title: Developer Connect Git Proxy User

Grants read and write access to repositories through the Git proxy.


developerconnect.gitRepositoryLinks.gitProxyRead

developerconnect.gitRepositoryLinks.gitProxyWrite

Name:developerconnect.accountConnectorProxyUser

Title: Developer Connect Account Connector Proxy User

Grants access to account connectors through Git and HTTP proxies.


developerconnect.accountConnectors.gitProxyUse

developerconnect.accountConnectors.fetchUserRepositories

Name:developerconnect.oauthAdmin

Title: Developer Connect OAuth Admin

Grants read and write access to Account Connector resources.


developerconnect.accountConnectors.create

developerconnect.accountConnectors.update

developerconnect.accountConnectors.delete

developerconnect.accountConnectors.fetchUserRepositories

developerconnect.users.delete

developerconnect.users.list

developerconnect.providers.list

cloudresourcemanager.projects.get

cloudresourcemanager.projects.list

developerconnect.operations.list

developerconnect.operations.get

developerconnect.locations.list

developerconnect.locations.get

developerconnect.users.startOAuth

developerconnect.users.finishOAuth

developerconnect.users.fetchAccessToken

developerconnect.users.getSelf

developerconnect.users.deleteSelf

developerconnect.accountConnectors.get

developerconnect.accountConnectors.list

Name:developerconnect.oauthUser

Title: Developer Connect OAuth User

Grants read and write access to User resources, and read access to Account Connectors.


cloudresourcemanager.projects.get

cloudresourcemanager.projects.list

developerconnect.operations.list

developerconnect.operations.get

developerconnect.locations.list

developerconnect.locations.get

developerconnect.users.startOAuth

developerconnect.users.finishOAuth

developerconnect.users.fetchAccessToken

developerconnect.users.getSelf

developerconnect.users.deleteSelf

developerconnect.accountConnectors.get

developerconnect.accountConnectors.list

Name:developerconnect.insightsAdmin

Title: Developer Connect Insights Admin

Grants full access to Developer Connect insights, and read-only access to Resource Manager resources.


cloudresourcemanager.projects.get

cloudresourcemanager.projects.list

developerconnect.operations.list

developerconnect.operations.get

developerconnect.locations.list

developerconnect.locations.get

developerconnect.insightsConfigs.list

developerconnect.insightsConfigs.get

developerconnect.insightsConfigs.create

developerconnect.insightsConfigs.update

developerconnect.insightsConfigs.delete

Name:developerconnect.insightsAgent

Title: Developer Connect Insights Agent

Grants read-only access to Cloud Asset Inventory assets, read and create access to Cloud Asset Inventory feeds, read-only access to, read-only access to Artifact Analysis occurrences, and the ability to createCloud Logging log entries.


cloudasset.assets.searchAllResources

cloudasset.assets.listResource

cloudasset.assets.exportResource

cloudasset.feeds.create

cloudasset.feeds.update

cloudasset.feeds.get

containeranalysis.occurrences.get

containeranalysis.occurrences.list

logging.logEntries.create

Name:developerconnect.insightsViewer

Title: Developer Connect Insights Viewer

Grants read-only access to Resource Manager projects and to Developer Connect operations, locations, and insights.


cloudresourcemanager.projects.get

cloudresourcemanager.projects.list

developerconnect.operations.list

developerconnect.operations.get

developerconnect.locations.list

developerconnect.locations.get

developerconnect.insightsConfigs.list

developerconnect.insightsConfigs.get

Developer Connect service account

Developer Connect uses aservice agent to execute tasks on your behalfwhen communicating with other services. This service agent is createdautomatically when you first interact with Developer Connect (create arepository connection or account connector).

The identifier for the Developer Connectservice agent is as follows, wherePROJECT_NUMBER is your Google Cloudproject number.

service-PROJECT_NUMBER@gcp-sa-devconnect.iam.gserviceaccount.com

You use this identifier to grant or modify IAM roles andpermissions.

Configure access to resources

For specific steps on granting roles, seeGranting, changing, and revoking access to resources.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.