Roles and permissions
When you use Cloud Load Balancing, you make API requests. Each API request requiresthat theIdentity and Access Management (IAM) principal whomakes the request has appropriate permission to create, modify, or delete theassociated resources.
In IAM, permission to access a Google Cloud resourceisn't granted directly to the end user. Instead, permissions are groupedinto roles, and roles are granted to authenticated principals. Principals can beof the following types: a user, group, service account, or Google domain.An IAM policy defines and enforces what roles aregranted to which principals, and this policy is then attached to a resource.
This page provides an overview of relevant IAM roles andpermissions for Cloud Load Balancing. For a detailed description ofIAM, see theIAM documentation.
Roles and permissions
To follow the examples in the load balancinghow-to guides, principalsneed to create instances, firewall rules, and VPC networks. Youcan provide the necessary permissions in one of the following ways:
Grant thepredefined roles that are related to loadbalancing.To view the specific permissions included in the predefined roles, see thefollowing sections:
- Compute Load Balancer Admin role(
roles/compute.loadBalancerAdmin) - Compute Network Admin role(
roles/compute.networkAdmin) - Compute Security Admin role(
roles/compute.securityAdmin) - Compute Instance Admin role(
roles/compute.instanceAdmin)
- Compute Load Balancer Admin role(
Create and grant custom roles that at least contain thepermissions included in the predefined roles.
Usebasic roles, making the principals project ownersor editors. Whenever possible, avoid using the basic roles; they grant alarge number of permissions, which violates the principle of least privilege.
Role change latency
Cloud Load Balancing caches IAM permissions for five minutes,so it takes up to five minutes for a role change to become effective.
Managing Access Control for Cloud Load Balancing using IAM
You can get and set IAM policies using the Google Cloud console, theIAM API, or the Google Cloud CLI. SeeGranting,changing, and revoking access for details.
What's next
- Learn more aboutIAM.
- Grant IAM roles.
- Learn aboutIAM Conditions for forwardingrules.
- Learn aboutorganization policy constraints for Cloud LoadBalancing.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.