| Name | Management API server permissions | Kubernetes cluster permissions | Escalates to |
| AI OCR Developer | OCR resources: Read and write | N/A | N/A |
| AI Speech Chirp Developer | Speech Chirp resources: Read and write | N/A | N/A |
| AI Speech Developer | Speech resources: Read and write | N/A | N/A |
| AI Text Embedding Developer | Text Embedding resources: Read and write | N/A | N/A |
| AI Text Embedding Multilingual Developer | Text Embedding Multilingual resources: Read and write | N/A | N/A |
| AI Translation Developer | Translation resources: Read and write | N/A | N/A |
| Backup Creator | N/A | - Manual backups and restores: Create, read, and delete
- Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read
| N/A |
| Certificate Authority Service Admin | Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch | N/A | N/A |
| Custom Role Project Admin | RoleBinding: Create, read, update, and delete- List project namespace
| N/A | All other AO roles |
| Dashboard Editor | Dashboard custom resources: Get, read, create, update, delete, and patch | N/A | N/A |
| Dashboard Viewer | Dashboard: Get and read | N/A | N/A |
| Discovery Engine Admin | Discovery Engine: Get, read, create, update, delete, and patch | N/A | N/A |
| Discovery Engine Developer | Discovery Engine: Get and read | N/A | N/A |
| Discovery Engine Reader | Discovery Engine: Read | N/A | N/A |
| Global Load Balancer Admin | N/A | HealthCheck: Get, watch, list, create, patch, update, and deleteBackendService: Get, watch, list, create, patch, update, and deleteForwardingRuleExternal: Get, watch, list, create, patch, update, and deleteForwardingRuleInternal: Get, watch, list, create, patch, update, and delete | N/A |
| Harbor Instance Admin | Harbor instances: Create, read, update, delete, and patch | N/A | N/A |
| Harbor Instance Viewer | Harbor instances: Read | N/A | N/A |
| Harbor Project Creator | Harbor instance projects: Create, get, and watch | N/A | N/A |
| K8s NetworkPolicy Admin | NetworkPolicy resources: Create, read, get, update, delete, and patch | N/A | N/A |
| KMS Admin | AEADKey: Create, read, update, delete, patch, encrypt, and decryptSigningKey: Create, read, update, delete, patch, and signKeyImport and KeyExport: Read | N/A | N/A |
| KMS Creator | AEADKey and SigningKey: Create and read | N/A | N/A |
| KMS Developer | AEADKey in the project namespace: Read, encrypt, and decryptSigningKey in the project namespace: Read and sign | N/A | N/A |
| KMS Key Export Admin | KeyExport resource: Create, read, update, patch, and delete | N/A | N/A |
| KMS Key Import Admin | KeyImport resource: Create, read, update, patch, and delete | N/A | N/A |
| KMS Viewer | AEADKey, SigningKey, KeyImport, KeyExport: Read | N/A | N/A |
| Load Balancer Admin | N/A | Backend: Get, watch, list, create, patch, update, and deleteHealthCheck: Get, watch, list, create, patch, update, and deleteBackendService: Get, watch, list, create, patch, update, and deleteForwardingRuleExternal: Get, watch, list, create, patch, update, and deleteForwardingRuleInternal: Get, watch, list, create, patch, update, and delete | N/A |
| LoggingRule Creator | LoggingRule custom resources: Create, read, update, delete, and patch | N/A | N/A |
| LoggingRule Editor | LoggingRule custom resources: Create, read, update, delete, and patch | N/A | N/A |
| LoggingRule Viewer | LoggingRule custom resources: Read | N/A | N/A |
| LoggingTarget Creator | LoggingTarget custom resources: Create, read, update, delete, and patch | N/A | N/A |
| LoggingTarget Editor | LoggingTarget custom resources: Create, read, update, delete, and patch | N/A | N/A |
| LoggingTarget Viewer | LoggingTarget custom resources: Read | N/A | N/A |
| Marketplace Editor | N/A | Service instances: Create, update, and delete | N/A |
| MonitoringRule Editor | MonitoringRule custom resources: Create, read, update, delete, and patch | N/A | N/A |
| MonitoringRule Viewer | MonitoringRule custom resources: Read | N/A | N/A |
| MonitoringTarget Editor | MonitoringTarget custom resources: Create, read, update, delete, and patch | N/A | N/A |
| MonitoringTarget Viewer | MonitoringTarget custom resources: Read | N/A | N/A |
| Namespace Admin | N/A | All resources: Read and write access in the project namespace | N/A |
| NAT Viewer | N/A | Deployments: Get and read | N/A |
| ObservabilityPipeline Editor | ObservabilityPipeline resources: Get, read, create, update, delete, and patch | N/A | N/A |
| ObservabilityPipeline Viewer | ObservabilityPipeline resources: Get and read | N/A | N/A |
| Project Bucket Admin | Bucket: Read and write in the project namespace | N/A | N/A |
| Project Bucket Object Admin | - Bucket: Read
- Objects: Read and write
| N/A | N/A |
| Project Bucket Object Viewer | Bucket and objects: Read | N/A | N/A |
| Project IAM Admin | IAMRoleBinding and IAMRole: Create, read, update, delete, and bindProjectServiceAccount: Create, read, update, and delete- List project namespace
| N/A | All other AO roles |
| Project NetworkPolicy Admin | Project network policies: Read and write in the project namespace | N/A | N/A |
| Project DB Admin | - Database versions, flags, maintenance policies, software libraries, and database project properties: Read
- Backup plans and database clusters: Create, read, update, and delete
- Imports, exports, and restores: Create, read, and delete
- Secrets: Create, delete, and update
- Migrations and external servers: Create, read, update, delete, and patch
| N/A | N/A |
| Project DB Editor | - Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read
- Imports: Create, read, and delete
- Database clusters: Read and update
- Secrets: Create and delete
| N/A | N/A |
| Project DB Viewer | Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read | N/A | N/A |
| Project Viewer | All resources in the project namespace: Read | N/A | N/A |
| Project VirtualMachine Admin | - Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
- Virtual machine restart: Put
- Virtual machine images, backup plans, and backup plan templates: Read
| N/A | N/A |
| Project VirtualMachine Image Admin | - VM images: Read
- VM image imports: Read and write
- Buckets: Create
- "vm-images-bucket" Bucket: Read and write
| N/A | N/A |
| Secret Admin | Kubernetes secrets: Read, create, update, delete, and patch | N/A | N/A |
| Secret Viewer | Kubernetes secrets: Read | N/A | N/A |
| Service Configuration Admin | ServiceConfigurations: Read and write | N/A | N/A |
| Service Configuration Viewer | ServiceConfigurations: Read | N/A | N/A |
| Subnet Project Admin | Subnets: Create, read, update, and delete. | N/A | N/A |
| Subnet Project Operator | Subnets: Create, read, update, and delete. | N/A | N/A |
| Vertex AI Prediction User | Online Predictions: Read and write | N/A | N/A |
| Volume Replication Admin | Volume failovers, volume relationship replicas: Create, get, list, watch, delete | N/A | N/A |
| Workbench Notebooks Admin | N/A | - Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
ClusterInfo objects: Read | N/A |
| Workbench Notebooks Viewer | N/A | - Notebook custom resources (CR) in the project namespace: Read
| N/A |
| Workload Viewer | N/A | - Pod custom resources in the project namespace: Read
- Deployment custom resources in the project namespace: Read
| N/A |
