This page discusses the Identity and Access Management roles that users need in order to successfully use Gemini Cloud Assist. For information about setting up Gemini Cloud Assist, see Set up Gemini Cloud Assist.
Overview
In order to support questions and requests about your Google Cloud resources, Gemini Cloud Assist needs the appropriate IAM permissions for those resources. Gemini Cloud Assist has the same permissions that the user querying Gemini Cloud Assist has, so in many cases, the necessary IAM permissions are already granted.
IAM roles for using Gemini Cloud Assist
The following IAM roles are recommended for general usage of Gemini Cloud Assist:
| IAM role | Notes |
|---|---|
| Gemini Cloud Assist User | This role gives users permission to use Gemini Cloud Assist, which includes invoking agents, chatting, creating agent artifacts, and sharing artifacts owned by the user. |
| Cloud Asset Viewer | This role allows the user's agent to discover the topology of assets relevant to the user's question, because Cloud Asset Inventory manages Google Cloud assets and metadata associated with those assets. Assets include your Google Cloud resources, policies, and configurations. |
Available IAM roles for Gemini Cloud Assist
In most cases, the recommended IAM role for using Gemini Cloud Assist is Gemini Cloud Assist User. In some cases, you might want to switch this role for a different Gemini Cloud Assist role. The following table lists different Gemini Cloud Assist roles that you can use:
| IAM role | Function |
|---|---|
| Gemini Cloud Assist Viewer | This role gives users permission to view agent artifacts, such as investigations or reports, and view agent configurations. This role grants more limited access when compared to the Gemini Cloud Assist User role; for example, the Gemini Cloud Assist Viewer role doesn't grant permission to invoke or chat with the agent. |
| Gemini Cloud Assist User | This role gives users permission to use Gemini Cloud Assist, which includes invoking agents, chatting, creating agent artifacts, and sharing artifacts owned by the user. |
| Gemini Cloud Assist Editor | This role gives users editor permissions for Gemini Cloud Assist. In addition to permissions contained within the Gemini Cloud Assist User role, the editor role contains permissions to delete chat topics, delete agent artifacts, and update specific agent configurations. |
| Gemini Cloud Assist Admin | This role gives users administrative permissions for Gemini Cloud Assist. In addition to permissions contained within the Gemini Cloud Assist Editor role, the administrator role contains permissions that let you configure different policies of Gemini Cloud Assist, such as enabling proactive agents and data sharing, grant permissions on agents, and share artifacts project-wide. |
Specific IAM permissions
The following are specific IAM permissions that are important for the functioning of Gemini Cloud Assist. Use this information when creating custom IAM roles.
| IAM permission | Function |
|---|---|
geminicloudassist.agents.invoke
|
Sending and receiving messages to Gemini Cloud Assist agents. |
cloudaicompanion.topics.create
|
Initiating a chat with Gemini Cloud Assist. |
cloudaicompanion.geminiGcpEnablementSettings.update
|
Configuring the administrator settings for Gemini Cloud Assist. |
mcp.tools.call
|
Sending and receiving messages to Gemini Cloud Assist agents through MCP. |
Permissions required for chat
The Gemini Cloud Assist chat panel
uses a backend resource called a topic. When you start a chat,
Gemini Cloud Assist creates a topic resource and grants you the
roles/cloudaicompanion.topicAdmin role for that topic, which includes the
cloudaicompanion.topics.update permission. This behavior means a chat is
viewable and updatable by only the user who created the topic.
If your organization has a
custom constraint that
prevents Gemini Cloud Assist from granting
roles/cloudaicompanion.topicAdmin to users, your attempt to start a chat
session fails. To fix the issue, ask your administrator to update the
organization's custom constraints to
allow specific roles to be granted.
IAM role recommendations for different use cases
In addition to the access granted from IAM roles for using Gemini Cloud Assist, tasks performed through Gemini Cloud Assist require access to the Google Cloud resources that are relevant to that task. For example:
If you are using agents to understand the health of GKE applications, then IAM permissions for GKE and its associated resources are most critical.
If you are using agents to deploy data processing jobs, then IAM permissions for Dataflow, Managed Service for Apache Spark, or BigQuery might be most critical.
Necessary IAM permissions depend on the specific domain that your tasks are in. In turn, appropriate IAM roles that contain these permissions vary by use case. The following job-function IAM roles provide a good starting point if you are not sure what roles users or agent identities should have.
| Task | Relevant Roles |
|---|---|
| Troubleshooting and ensuring the reliability and scalability of Google Cloud infrastructure broadly across multiple domains, both proactively and interactively |
roles/iam.siteReliabilityEngineerroles/iam.supportUser |
| Deploying, updating, and exploring Google Cloud infrastructure broadly across multiple domains |
roles/iam.infrastructureAdminroles/iam.devOpsroles/logging.viewerroles/monitoring.viewerroles/cloudtrace.userroles/apptopology.viewer |
| Exploring, understanding, and troubleshooting your network infrastructure |
roles/iam.networkAdminroles/logging.viewerroles/monitoring.viewerroles/cloudtrace.userroles/apptopology.viewer |
| Interacting with and analyzing data through data processing, transformation, and analysis pipelines |
roles/iam.dataScientistroles/logging.viewerroles/monitoring.viewer |
| Deploying, updating, and troubleshooting databases |
roles/iam.databaseAdminroles/logging.viewerroles/monitoring.viewer |
| Understanding and analyzing your application's costs in detail |
roles/cloudhub.operatorroles/monitoring.viewerroles/logging.viewer |
| Browsing and viewing Google Cloud resources, folder hierarchy, logs, security configuration, and key resource metadata. |
roles/iam.securityAuditor |
| Using Cloud Storage with Storage Insights datasets to understand your Cloud Storage usage. |
roles/bigquery.jobUserroles/bigquery.dataViewerroles/storageinsights.viewer |