This page discusses the Identity and Access Management roles that users need in order to successfully use Gemini Cloud Assist. For information about setting up Gemini Cloud Assist, see Set up Gemini Cloud Assist.
Overview
In order to support questions and requests about your Google Cloud resources, Gemini Cloud Assist needs the appropriate IAM permissions for those resources. Gemini Cloud Assist has the same permissions that the user querying Gemini Cloud Assist has, so in many cases, the necessary IAM permissions are already granted.
Permissions required for chat
The Gemini Cloud Assist chat panel
uses a backend resource called a topic. When you start a chat,
Gemini Cloud Assist creates a topic resource and grants you the
roles/cloudaicompanion.topicAdmin role for that topic, which includes the
cloudaicompanion.topics.update permission. If your organization has a
custom constraint that
prevents Gemini Cloud Assist from granting
roles/cloudaicompanion.topicAdmin to users, your attempt to start a chat
session fails.
To fix the issue, ask your administrator to update the organization's custom constraints to allow specific roles to be granted.
IAM role recommendations for different use cases
Tasks performed through Gemini Cloud Assist require both access to Gemini Cloud Assist and access to the Google Cloud resources that are relevant to that task. For example:
If you are using agents to understand the health of GKE applications, then IAM permissions for GKE and its associated resources are most critical.
If you are using agents to deploy data processing jobs, then IAM permissions for Dataflow, Managed Service for Apache Spark, or BigQuery might be most critical.
Necessary IAM permissions depend on the specific domain that your tasks are in. In turn, appropriate IAM roles that contain these permissions vary by use case. The following job-function IAM roles provide a good starting point if you are not sure what roles users or agent identities should have.
| Task | Relevant Roles |
|---|---|
| Troubleshooting and ensuring the reliability and scalability of Google Cloud infrastructure broadly across multiple domains, both proactively and interactively |
roles/iam.siteReliabilityEngineerroles/iam.supportUser |
| Deploying, updating, and exploring Google Cloud infrastructure broadly across multiple domains |
roles/iam.infrastructureAdminroles/iam.devOpsroles/logging.viewerroles/monitoring.viewerroles/cloudasset.viewerroles/cloudtrace.userroles/apptopology.viewer |
| Exploring, understanding, and troubleshooting your network infrastructure |
roles/iam.networkAdminroles/logging.viewerroles/monitoring.viewerroles/cloudasset.viewerroles/cloudtrace.userroles/apptopology.viewer |
| Interacting with and analyzing data through data processing, transformation, and analysis pipelines |
roles/iam.dataScientistroles/logging.viewerroles/monitoring.viewerroles/cloudasset.viewer |
| Deploying, updating, and troubleshooting databases |
roles/iam.databaseAdminroles/logging.viewerroles/monitoring.viewerroles/cloudasset.viewer |
| Understanding and analyzing your application's costs in detail |
roles/cloudhub.operatorroles/monitoring.viewerroles/logging.viewerroles/cloudasset.viewer |
| Browsing and viewing Google Cloud resources, folder hierarchy, logs, security configuration, and key resource metadata. |
roles/iam.securityAuditor |
| Using Gemini Cloud Assist with Storage Insights datasets to understand your Cloud Storage usage. |
roles/bigquery.jobUserroles/bigquery.dataViewerroles/storageinsights.viewer |