Cloud IoT roles and permissions

This page lists the IAM roles and permissions for Cloud IoT. Tosearch through all roles and permissions, see therole andpermission index.

Cloud IoT roles

RolePermissions

Cloud IoT Core Service Agent

(roles/cloudiot.serviceAgent)

Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.

Warning: Do not grant service agent roles to any principals exceptservice agents.

logging.logEntries.create

logging.logEntries.route

pubsub.topics.publish

Cloud IoT permissions

PermissionIncluded in roles

cloudiottoken.tokensettings.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

cloudiottoken.tokensettings.update

Owner (roles/owner)

Editor (roles/editor)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.