This page describes Developer Connect roles and permissions.
Access control in Developer Connect is controlled using
Identity and Access Management (IAM) . IAM lets you create and
manage permissions for Google Cloud resources. Developer Connect provides a
specific set of
predefined IAM roles
where each role contains a set of permissions suited to a particular type of
access or action. We recommend that you adopt the
security principle of least privilege ,
and grant only the necessary access to your resources.
Predefined Developer Connect roles
You assign permissions to accounts through the use of roles. The following table
lists the IAM roles available for Developer Connect and the
permissions that they include:
The IAM documentation includes a
searchable reference
of all predefined roles.
Role
Permissions
Developer Connect Admin
Beta
(roles/developerconnect.admin )
Full access to Developer Connect resources.
developerconnect.connections.constructGitHubAppManifest
developerconnect.connections.create
developerconnect.connections.delete
developerconnect.connections.fetchGitHubInstallations
developerconnect.connections.fetchLinkableGitRepositories
developerconnect.connections.generateGitHubStateToken
developerconnect.connections.get
developerconnect.connections.list
developerconnect.connections.processGitHubAppCreationCallback
developerconnect.connections.processGitHubOAuthCallback
developerconnect.connections.update
developerconnect.gitRepositoryLinks.create
developerconnect.gitRepositoryLinks.delete
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.gitProxyRead
developerconnect.gitRepositoryLinks.gitProxyWrite
developerconnect.gitRepositoryLinks.list
developerconnect.locations.*
developerconnect.locations.getdeveloperconnect.locations.list
developerconnect.operations.*
developerconnect.operations.cancel developerconnect.operations.delete developerconnect.operations.get developerconnect.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Viewer
Beta
(roles/developerconnect.viewer )
Read-only access to Developer Connect resources.
developerconnect.connections.get
developerconnect.connections.list
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.locations.*
developerconnect.locations.getdeveloperconnect.locations.list
developerconnect.operations.get
developerconnect.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect HTTP Proxy Writer
Beta
(roles/developerconnect.connectionHttpProxyWriter )
Grants read and write access to connections through the HTTP Proxy.
developerconnect.connections.httpProxyRead
developerconnect.connections.httpProxyWrite
Developer Connect Git Proxy Reader
Beta
(roles/developerconnect.gitProxyReader )
Grants read-only access to repositories through the Git Proxy.
developerconnect.gitRepositoryLinks.gitProxyRead
Developer Connect Git Proxy User
Beta
(roles/developerconnect.gitProxyUser )
Grants read and write access to repositories through the Git Proxy.
developerconnect.gitRepositoryLinks.gitProxyRead
developerconnect.gitRepositoryLinks.gitProxyWrite
Developer Connect Insights Admin
Beta
(roles/developerconnect.insightsAdmin )
Admin access to Developer Connect Insights resources.
developerconnect.deploymentEvents.*
developerconnect.deploymentEvents.get developerconnect.deploymentEvents.list
developerconnect.insightsConfigs.*
developerconnect.insightsConfigs.create developerconnect.insightsConfigs.delete developerconnect.insightsConfigs.get developerconnect.insightsConfigs.list developerconnect.insightsConfigs.update
developerconnect.locations.*
developerconnect.locations.getdeveloperconnect.locations.list
developerconnect.operations.get
developerconnect.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Insights Config Agent
Beta
(roles/developerconnect.insightsAgent )
Allow Developer Connect to access SDLC information.
cloudasset.assets.exportResource
cloudasset.assets.listResource
cloudasset.assets.searchAllResources
cloudasset.feeds.create
cloudasset.feeds.get
cloudasset.feeds.update
containeranalysis.occurrences.get
containeranalysis.occurrences.list
logging.logEntries.create
Developer Connect Insights Viewer
Beta
(roles/developerconnect.insightsViewer )
Read-only access to Developer Connect Insights resources.
developerconnect.deploymentEvents.*
developerconnect.deploymentEvents.get developerconnect.deploymentEvents.list
developerconnect.insightsConfigs.get
developerconnect.insightsConfigs.list
developerconnect.locations.*
developerconnect.locations.getdeveloperconnect.locations.list
developerconnect.operations.get
developerconnect.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect OAuth Admin
Beta
(roles/developerconnect.oauthAdmin )
Grants read and write access to AccountConnector resources.
developerconnect.accountConnectors.*
developerconnect.accountConnectors.create developerconnect.accountConnectors.delete developerconnect.accountConnectors.get developerconnect.accountConnectors.list developerconnect.accountConnectors.update
developerconnect.locations.*
developerconnect.locations.getdeveloperconnect.locations.list
developerconnect.operations.get
developerconnect.operations.list
developerconnect.providers.list
developerconnect.users.*
developerconnect.users.deletedeveloperconnect.users.deleteSelf developerconnect.users.fetchAccessToken developerconnect.users.finishOAuth developerconnect.users.getSelfdeveloperconnect.users.listdeveloperconnect.users.startOAuth
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect OAuth User
Beta
(roles/developerconnect.oauthUser )
Grants read and write access to User resources, and read access to AccountConnectors.
developerconnect.accountConnectors.get
developerconnect.accountConnectors.list
developerconnect.locations.*
developerconnect.locations.getdeveloperconnect.locations.list
developerconnect.operations.get
developerconnect.operations.list
developerconnect.users.deleteSelf
developerconnect.users.fetchAccessToken
developerconnect.users.finishOAuth
developerconnect.users.getSelf
developerconnect.users.startOAuth
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Read Token Accessor
Beta
(roles/developerconnect.readTokenAccessor )
Grants access to Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect.connections.get
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.get
Developer Connect Token Accessor
Beta
(roles/developerconnect.tokenAccessor )
Grants access to Read/Write and Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect.connections.get
developerconnect.gitRepositoryLinks.fetchReadToken
developerconnect.gitRepositoryLinks.fetchReadWriteToken
developerconnect.gitRepositoryLinks.get
Developer Connect User
Beta
(roles/developerconnect.user )
Grants access to view the connection and to the features that interact with the actual repository such as reading content from the repository
developerconnect.connections.fetchGitHubInstallations
developerconnect.connections.fetchLinkableGitRepositories
developerconnect.connections.get
developerconnect.connections.list
developerconnect.gitRepositoryLinks.fetchGitRefs
developerconnect.gitRepositoryLinks.get
developerconnect.gitRepositoryLinks.list
developerconnect.locations.*
developerconnect.locations.getdeveloperconnect.locations.list
developerconnect.operations.get
developerconnect.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Service agent roles
Service agent roles should only be granted to service agents .
Role
Permissions
Developer Connect Service Agent
(roles/developerconnect.serviceAgent )
Gives the Developer Connect API Service Account access to necessary GCP resources.
Warning: Do not grant service agent roles to any principals except
service agents .
apphub.applications.get
apphub.services.get
apphub.services.list
apphub.workloads.get
apphub.workloads.list
developerconnect.operations.get
Developer Connect service account
Developer Connect uses a service agent to execute tasks on your behalf
when communicating with other services. This service agent is created
automatically when you first interact with Developer Connect (create a
repository connection or account connector).
The identifier for the Developer Connect
service agent is as follows, where PROJECT_NUMBER is your Google Cloud
project number .
service-PROJECT_NUMBER @gcp-sa-devconnect.iam.gserviceaccount.com
You use this identifier to grant or modify IAM roles and
permissions.
For specific steps on granting roles, see
Granting, changing, and revoking access to resources .
What's next
