Cloud Workstations usesIdentity and Access Management (IAM) tomanage access to workstations and workstation configurations. To grant access,assign one or moreIdentity and Access Management roles to aprincipal (user, group, orservice account). The policy defineswhich roles are assigned to which principals.

Enable required Identity and Access Management roles

If the Identity and Access Management permissions you need haven't yet been set up, follow theseinstructions to set up one or more of the following roles:

• Cloud Workstations User
• Cloud Workstations Creator
• Cloud Workstations Admin
• Cloud Workstations Network Admin
• Cloud Workstations Limit Exempted Creator
• Cloud Workstations Policy Admin

Cloud Workstations User: for developers using a workstation

To get the permissions that you need to access a workstation, ask your administrator to grant you the following IAM roles:

• Cloud Workstations User (roles/workstations.user) on the workstation
• Cloud Workstations Operation Viewer (roles/workstations.operationViewer) on the project

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Cloud Workstations Creator: for developers creating and connecting to workstations

To get the permissions that you need to view workstation configurations, create workstations, and access workstations, ask your administrator to grant you the following IAM roles:

• Cloud Workstations Creator (roles/workstations.workstationCreator) on the project or individual workstation configuration
• Cloud Workstations Operation Viewer (roles/workstations.operationViewer) on the project

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Cloud Workstations automatically grants the Cloud Workstations User role(roles/workstations.user) on any workstation that you createas Cloud Workstations Creator.

Cloud Workstations Admin: for administrators creating and updating workstation configurations and workstation clusters

To get the permissions that you need to create the Cloud Workstations resources in your project, ask your administrator to grant you theCloud Workstations Admin (roles/workstations.admin) IAM role on the project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

For more information about using the Google Cloud console to change permissions,see the following section,Add users and edit permissions using the console.

Cloud Workstations Network Admin: for network administrators creating and updating Shared VPC permissions

To get the permissions that you need to create the Cloud Workstations resources in your Shared VPC, ask your administrator to grant you theCloud Workstations Network Admin (roles/workstations.networkAdmin) IAM role on the project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

For more information about using the Google Cloud console to change permissions,see the following section,Add users and edit permissions using the console.

Cloud Workstations Limit Exempted Creator: for developers creating and connecting to workstations

To get the permissions that you need to view workstation configurations, create workstations exempted from `maxUsableWorkstations` limit, and access workstations, ask your administrator to grant you the following IAM roles on the project:

• Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator) - the project or individual workstation configuration
• Cloud Workstations Operation Viewer (roles/workstations.operationViewer) - the project

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Cloud Workstations Policy Admin: for developers updating IAM policy of their workstations

To get the permissions that you need to update IAM policy of the workstation which allows granting access to the entire workstation or its individual ports, ask your administrator to grant you theCloud Workstations Policy Admin (roles/workstations.policyAdmin) IAM role on the workstation.

Cloud Workstations automatically grants theCloud Workstations Policy Admin role(roles/workstations.policyAdmin) on any workstation that you create asCloud Workstations Creator, if theGrant Policy Admin role to workstation creators option is enabled on theCloud Workstations configuration. For more information about this option,see theAdd users section of theCreate a workstation configurationguide.

Add users and edit permissions using the Google Cloud console

If you're an administrator for Cloud Workstations, you must have theCloud Workstations Admin role (or legacy Editor or Owner role)assigned to your account.

To add users or edit permissions, follow these steps:

1. Navigate to the Cloud WorkstationsWorkstation configurations page.
2. To add new users, clickAdd users next to the name of the configuration,and enter new user information in theNew principals field.

3. To change existing permissions on a configuration, click thearrow_drop_downexpander arrow on therow with the configuration name, selectEdit permissions, and then selectAdd principal.

   

What's next

• Limit workstations per developer.