API Management roles and permissions

This page lists the IAM roles and permissions for API Management. To search through all roles and permissions, see the role and permission index.

API Management roles

Role Permissions

Role	Permissions
API Management Admin ^Beta (`roles/apim.admin`) Full access to API Management resources.	`apim.*` `apim.apiObservations.batchEditTags` `apim.apiObservations.get` `apim.apiObservations.list` `apim.apiOperations.get` `apim.apiOperations.list` `apim.entitlements.get` `apim.locations.get` `apim.locations.list` `apim.locations.listApiObservationTags` `apim.observationJobs.create` `apim.observationJobs.delete` `apim.observationJobs.disable` `apim.observationJobs.enable` `apim.observationJobs.get` `apim.observationJobs.list` `apim.observationSources.create` `apim.observationSources.delete` `apim.observationSources.get` `apim.observationSources.list` `apim.operations.cancel` `apim.operations.delete` `apim.operations.get` `apim.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
API Management Viewer ^Beta (`roles/apim.viewer`) Readonly access to API Management resources.	`apim.apiObservations.get` `apim.apiObservations.list` `apim.apiOperations.` `apim.apiOperations.get` `apim.apiOperations.list` `apim.entitlements.get` `apim.locations.` `apim.locations.get` `apim.locations.list` `apim.locations.listApiObservationTags` `apim.observationJobs.get` `apim.observationJobs.list` `apim.observationSources.get` `apim.observationSources.list` `apim.operations.get` `apim.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

API Management Admin ^Beta

(roles/apim.admin)

Full access to API Management resources.

apim.*

apim.apiObservations.batchEditTags
apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.get
apim.apiOperations.list
apim.entitlements.get
apim.locations.get
apim.locations.list
apim.locations.listApiObservationTags
apim.observationJobs.create
apim.observationJobs.delete
apim.observationJobs.disable
apim.observationJobs.enable
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.create
apim.observationSources.delete
apim.observationSources.get
apim.observationSources.list
apim.operations.cancel
apim.operations.delete
apim.operations.get
apim.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

API Management Viewer ^Beta

(roles/apim.viewer)

Readonly access to API Management resources.

apim.apiObservations.get

apim.apiObservations.list

apim.apiOperations.*

apim.apiOperations.get
apim.apiOperations.list

apim.entitlements.get

apim.locations.*

apim.locations.get
apim.locations.list
apim.locations.listApiObservationTags

apim.observationJobs.get

apim.observationJobs.list

apim.observationSources.get

apim.observationSources.list

apim.operations.get

apim.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
APIM API Discovery Service Agent (`roles/apim.apiDiscoveryServiceAgent`) Gives APIM the ability to manage resources in consumer project Warning: Do not grant service agent roles to any principals except service agents.	`compute.backendServices.create` `compute.backendServices.delete` `compute.backendServices.get` `compute.backendServices.list` `compute.backendServices.update` `compute.backendServices.use` `compute.globalOperations.get` `compute.networks.use` `compute.regionBackendServices.create` `compute.regionBackendServices.delete` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionBackendServices.update` `compute.regionBackendServices.use` `compute.regionNetworkEndpointGroups.attachNetworkEndpoints` `compute.regionNetworkEndpointGroups.create` `compute.regionNetworkEndpointGroups.delete` `compute.regionNetworkEndpointGroups.detachNetworkEndpoints` `compute.regionNetworkEndpointGroups.get` `compute.regionNetworkEndpointGroups.list` `compute.regionNetworkEndpointGroups.use` `compute.regionOperations.get` `compute.subnetworks.use` `networkservices.operations.*` `networkservices.operations.cancel` `networkservices.operations.delete` `networkservices.operations.get` `networkservices.operations.list`

APIM API Discovery Service Agent

(roles/apim.apiDiscoveryServiceAgent)

Gives APIM the ability to manage resources in consumer project

compute.backendServices.create

compute.backendServices.delete

compute.backendServices.get

compute.backendServices.list

compute.backendServices.update

compute.backendServices.use

compute.globalOperations.get

compute.networks.use

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.update

compute.regionBackendServices.use

compute.regionNetworkEndpointGroups.attachNetworkEndpoints

compute.regionNetworkEndpointGroups.create

compute.regionNetworkEndpointGroups.delete

compute.regionNetworkEndpointGroups.detachNetworkEndpoints

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.subnetworks.use

networkservices.operations.*

networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list

API Management permissions

Permission	Included in roles
`apim.apiObservations.batchEditTags`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.apiObservations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.apiObservations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apim.apiOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.apiOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apim.entitlements.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apim.locations.listApiObservationTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.observationJobs.create`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.disable`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.enable`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationJobs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.observationJobs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apim.observationSources.create`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationSources.delete`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.observationSources.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.observationSources.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apim.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) API Management Admin (`roles/apim.admin`)
`apim.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Support User (`roles/iam.supportUser`)
`apim.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) API Management Admin (`roles/apim.admin`) API Management Viewer (`roles/apim.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)

API Management roles and permissions