App Hub IAM roles and permissions

App Hub provides the following Identity and Access Management (IAM) roles:

  • App Hub Admin (roles/apphub.admin): get full access to App Hub settings.
  • App Hub Editor (roles/apphub.editor): create and manage applications, services, and workloads.
  • App Hub Viewer (roles/apphub.viewer): view applications, services, and workloads.

Grant appropriate App Hub IAM roles to users or groups who will manage or view applications within the application management boundary. To grant roles, you can use the IAM page in the Google Cloud console or the Google Cloud CLI. For detailed instructions, see Manage access to projects, folders, and organizations.

App Hub roles

The following table describes App Hub IAM roles and their typical responsibilities:

Role

Description

Purpose

App Hub Admin

Use projects or folders to create applications, attach service projects to a host project, update application attributes, register services and workloads, update service and workload attributes, and delegate application control to the App Hub Editor.
  • Manage the full lifecycle of an application.
  • Get administrative permissions and complete visibility of the end-to-end application architecture.

App Hub Editor

Create and update applications, register and unregister services and workloads, and update attributes.
  • Scale the capability to create, update, or delete services and workloads.
  • Manage application deployments.

App Hub Viewer

View services, workloads, applications, and their attributes.
  • Visualize the status of services, workloads, applications, and their dependencies.
  • Obtain visibility into applications as an App Hub user.

App Hub permissions

The following table lists the permissions that each App Hub IAM role has:

(roles/apphub.admin)

Full access to App Hub resources.

apphub.*

  • apphub.applications.create
  • apphub.applications.delete
  • apphub.applications.get
  • apphub.applications.getIamPolicy
  • apphub.applications.list
  • apphub.applications.setIamPolicy
  • apphub.applications.update
  • apphub.boundaries.attach
  • apphub.boundaries.get
  • apphub.boundaries.update
  • apphub.discoveredServices.get
  • apphub.discoveredServices.list
  • apphub.discoveredServices.register
  • apphub.discoveredWorkloads.get
  • apphub.discoveredWorkloads.list
  • apphub.discoveredWorkloads.register
  • apphub.locations.get
  • apphub.locations.list
  • apphub.operations.cancel
  • apphub.operations.delete
  • apphub.operations.get
  • apphub.operations.list
  • apphub.serviceProjectAttachments.attach
  • apphub.serviceProjectAttachments.create
  • apphub.serviceProjectAttachments.delete
  • apphub.serviceProjectAttachments.detach
  • apphub.serviceProjectAttachments.get
  • apphub.serviceProjectAttachments.list
  • apphub.serviceProjectAttachments.lookup
  • apphub.services.create
  • apphub.services.delete
  • apphub.services.get
  • apphub.services.list
  • apphub.services.update
  • apphub.workloads.create
  • apphub.workloads.delete
  • apphub.workloads.get
  • apphub.workloads.list
  • apphub.workloads.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.editor)

Edit access to App Hub resources.

apphub.applications.create

apphub.applications.delete

apphub.applications.get

apphub.applications.list

apphub.applications.update

apphub.boundaries.get

apphub.discoveredServices.*

  • apphub.discoveredServices.get
  • apphub.discoveredServices.list
  • apphub.discoveredServices.register

apphub.discoveredWorkloads.*

  • apphub.discoveredWorkloads.get
  • apphub.discoveredWorkloads.list
  • apphub.discoveredWorkloads.register

apphub.locations.*

  • apphub.locations.get
  • apphub.locations.list

apphub.operations.*

  • apphub.operations.cancel
  • apphub.operations.delete
  • apphub.operations.get
  • apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.*

  • apphub.services.create
  • apphub.services.delete
  • apphub.services.get
  • apphub.services.list
  • apphub.services.update

apphub.workloads.*

  • apphub.workloads.create
  • apphub.workloads.delete
  • apphub.workloads.get
  • apphub.workloads.list
  • apphub.workloads.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.viewer)

View access to App Hub resources.

apphub.applications.get

apphub.applications.list

apphub.boundaries.get

apphub.discoveredServices.get

apphub.discoveredServices.list

apphub.discoveredWorkloads.get

apphub.discoveredWorkloads.list

apphub.locations.*

  • apphub.locations.get
  • apphub.locations.list

apphub.operations.get

apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.get

apphub.services.list

apphub.workloads.get

apphub.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

For more information about IAM permissions, see Find the right predefined roles and IAM roles and permissions index.