IAM requirements for using Gemini Cloud Assist

This page discusses the Identity and Access Management roles that users need in order to successfully use Gemini Cloud Assist. For information about setting up Gemini Cloud Assist, see Set up Gemini Cloud Assist.

Overview

In order to support questions and requests about your Google Cloud resources, Gemini Cloud Assist needs the appropriate IAM permissions for those resources. Gemini Cloud Assist has the same permissions that the user querying Gemini Cloud Assist has, so in many cases, the necessary IAM permissions are already granted.

General IAM roles for using Gemini Cloud Assist

The following IAM roles are recommended for general usage of Gemini Cloud Assist:

IAM role Notes
Gemini Cloud Assist User This role gives users permission to use Gemini Cloud Assist, which includes invoking agents, chatting, creating agent artifacts, and sharing artifacts owned by the user.
Cloud Asset Viewer This role allows the user's agent to discover the topology of assets relevant to the user's question, because Cloud Asset Inventory manages Google Cloud assets and metadata associated with those assets. Assets include your Google Cloud resources, policies, and configurations.

Specific IAM permissions

The following are specific IAM permissions that are important for the functioning of Gemini Cloud Assist. Use this information when creating custom IAM roles.

IAM permission Function
geminicloudassist.agents.invoke Sending and receiving messages to Gemini Cloud Assist agents.
cloudaicompanion.topics.create Initiating a chat with Gemini Cloud Assist.
cloudaicompanion.geminiGcpEnablementSettings.update Configuring the administrator settings for Gemini Cloud Assist.
mcp.tools.call Sending and receiving messages to Gemini Cloud Assist agents through MCP.

Permissions required for chat

The Gemini Cloud Assist chat panel uses a backend resource called a topic. When you start a chat, Gemini Cloud Assist creates a topic resource and grants you the roles/cloudaicompanion.topicAdmin role for that topic, which includes the cloudaicompanion.topics.update permission. This behavior means a chat is viewable and updatable by only the user who created the topic.

If your organization has a custom constraint that prevents Gemini Cloud Assist from granting roles/cloudaicompanion.topicAdmin to users, your attempt to start a chat session fails. To fix the issue, ask your administrator to update the organization's custom constraints to allow specific roles to be granted.

IAM role recommendations for different use cases

Tasks performed through Gemini Cloud Assist require both access to Gemini Cloud Assist and access to the Google Cloud resources that are relevant to that task. For example:

  • If you are using agents to understand the health of GKE applications, then IAM permissions for GKE and its associated resources are most critical.

  • If you are using agents to deploy data processing jobs, then IAM permissions for Dataflow, Managed Service for Apache Spark, or BigQuery might be most critical.

Necessary IAM permissions depend on the specific domain that your tasks are in. In turn, appropriate IAM roles that contain these permissions vary by use case. The following job-function IAM roles provide a good starting point if you are not sure what roles users or agent identities should have.

Task Relevant Roles
Troubleshooting and ensuring the reliability and scalability of Google Cloud infrastructure broadly across multiple domains, both proactively and interactively
  • roles/iam.siteReliabilityEngineer
  • roles/iam.supportUser
    		•
    Deploying, updating, and exploring Google Cloud infrastructure broadly across multiple domains
  • roles/iam.infrastructureAdmin
  • roles/iam.devOps
  • roles/logging.viewer
  • roles/monitoring.viewer
  • roles/cloudasset.viewer
  • roles/cloudtrace.user
  • roles/apptopology.viewer
    		•
    Exploring, understanding, and troubleshooting your network infrastructure
  • roles/iam.networkAdmin
  • roles/logging.viewer
  • roles/monitoring.viewer
  • roles/cloudasset.viewer
  • roles/cloudtrace.user
  • roles/apptopology.viewer
    		•
    Interacting with and analyzing data through data processing, transformation, and analysis pipelines
  • roles/iam.dataScientist
  • roles/logging.viewer
  • roles/monitoring.viewer
  • roles/cloudasset.viewer
    		•
    Deploying, updating, and troubleshooting databases
  • roles/iam.databaseAdmin
  • roles/logging.viewer
  • roles/monitoring.viewer
  • roles/cloudasset.viewer
    		•
    Understanding and analyzing your application's costs in detail
  • roles/cloudhub.operator
  • roles/monitoring.viewer
  • roles/logging.viewer
  • roles/cloudasset.viewer
    		•
    Browsing and viewing Google Cloud resources, folder hierarchy, logs, security configuration, and key resource metadata.
  • roles/iam.securityAuditor
    		•
    Using Gemini Cloud Assist with Storage Insights datasets to understand your Cloud Storage usage.
  • roles/bigquery.jobUser
  • roles/bigquery.dataViewer
  • roles/storageinsights.viewer
    		•