Access control for projects with IAM
Google Cloud offersIdentity and Access Management (IAM), which letsyou give more granular access to specific Google Cloud resources andprevents unwanted access to other resources. IAM lets you adoptthesecurity principle of least privilege,so you grant only the necessary access to your resources.
IAM lets you controlwho (users) haswhat access (roles)towhich resources by setting allow policies. Allow policies grant specificroles to a user giving the user certain permissions.
This page explains the IAM permissions and roles you can use tomanage access to projects. For more information, seeManage access to projects, folders, and organizations.
Note: You can also use deny policies to prevent principals from using specific IAM permissions. For more information, seeDeny policies.
Note: If you're getting started with Google Cloud, you can set up your resourcehierarchy and grant initial access as part of theGoogle Cloud setup process.Permissions and roles
To control access to resources, Google Cloud requires that accounts making APIrequests have appropriate IAM roles. IAM rolesinclude permissions that allow users to perform specific actions onGoogle Cloud resources. For example, theresourcemanager.projects.deletepermission allows a user to delete a project.
You don't directly give users permissions; instead, you grant themroles,which have one or more permissions bundled within them. You grant these roles ona particular resource, but they also apply to all of that resource's descendantsin theresource hierarchy.
Permissions
To manage projects, the caller must have a role that includes the followingpermissions. The role is granted on the organization resource or folder that contains theprojects:
| Method | Required permission(s) |
|---|---|
resourcemanager.projects.create | resourcemanager.projects.create |
resourcemanager.projects.delete | resourcemanager.projects.delete |
resourcemanager.projects.get | resourcemanager.projects.getGranting this permission will also grant access to get the name of the billing account associated with the project through the Billing API method billing.projects.getBillingInfo . |
resourcemanager.projects.getIamPolicy | resourcemanager.projects.getIamPolicy |
resourcemanager.projects.list | resourcemanager.projects.list |
resourcemanager.projects.search | resourcemanager.projects.get |
resourcemanager.projects.setIamPolicy | resourcemanager.projects.setIamPolicy |
resourcemanager.projects.testIamPermissions | Does not require any permission. |
resourcemanager.projects.undelete | resourcemanager.projects.undelete |
resourcemanager.projects.patch | To update a project's metadata, requiresresourcemanager.projects.update permission. To update a project'sparent and move the project into an organization resource, requiresresourcemanager.projects.create permission on theorganization resource. |
projects.move | projects.move |
Using predefined roles
IAM predefined roles allow you to carefully manage the set ofpermissions that your users have access to. For a full list of the roles thatcan be granted at the project level, seeUnderstanding Roles.
The following table lists the predefined roles that you can use to grant accessto a project. Each role includes a description of what the role does, and thepermissions included in that role.
| Role | Permissions |
|---|---|
Project Creator( Provides access to create new projects. Once a user creates a project,they're automatically granted the owner role for that project. Lowest-level resources where you can grant this role:
|
|
Project Deleter( Provides access to delete Google Cloud projects. Lowest-level resources where you can grant this role:
|
|
Project Mover( Provides access to update and move projects. Lowest-level resources where you can grant this role:
|
|
Project IAM Admin( Provides permissions to administer allow policies on projects. Lowest-level resources where you can grant this role:
|
|
Browser( Read access to browse the hierarchy for a project, including the folder, organization, and allowpolicy. This role doesn't include permission to view resources in the project. Lowest-level resources where you can grant this role:
|
|
Basic roles
Avoid using basic roles except when absolutely necessary. These roles are verypowerful, and include a large number of permissions across allGoogle Cloud services. For more details on when you should use basicroles, seeBasic roles.
| Role | Description | Permissions |
|---|---|---|
roles/owner | Full access to all resources. | All permissions for all resources. |
roles/editor | Edit access to most resources. | Create and update access for most resources. |
roles/viewer | Read access to most resources. | Get and list access for most resources. |
Creating custom roles
In addition to the predefined roles described in this topic, you can also createcustom roles that are collections ofpermissions that you tailor to your needs. When creating a custom role for usewith Resource Manager, be aware of the following points:- List and get permissions, such as
resourcemanager.projects.get/list, should always be granted as a pair. - When your custom role includes the
folders.listandfolders.getpermissions, it should also includeprojects.listandprojects.get. - Be aware that the
setIamPolicypermission for organization, folder, and project resources allows the user to grant all other permissions, and so should be assigned with care.
Access control at the project level
You can grant roles to users at the project level using theGoogle Cloud console,the Cloud Resource Manager API, and the Google Cloud CLI. For instructions, seeGranting, Changing, and Revoking Access.
Default roles
When you create a project, you are granted theroles/owner role for theproject to provide you full control as the creator. This default role can bechanged as normal in an allow policy.
VPC Service Controls
VPC Service Controls can provide additional security when using theCloud Resource Manager API. To learn moreabout VPC Service Controls, see theVPC Service Controls overview.
To learn about the current limitations in using Resource Manager withVPC Service Controls, see thesupported products and limitationspage.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.