Cloud IoT roles and permissions

This page lists the IAM roles and permissions for Cloud IoT. To search through all roles and permissions, see the role and permission index.

Cloud IoT roles

Cloud IoT offers the following service agent roles. Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs. Warning: Do not grant service agent roles to any principals except service agents.	`logging.logEntries.create` `logging.logEntries.route` `pubsub.topics.publish`

Cloud IoT Core Service Agent

(roles/cloudiot.serviceAgent)

Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.

logging.logEntries.create

logging.logEntries.route

pubsub.topics.publish

Cloud IoT permissions

Permission Included in roles

Permission	Included in roles
`cloudiottoken.tokensettings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`)
`cloudiottoken.tokensettings.update`	Owner (`roles/owner`) Editor (`roles/editor`)

`cloudiottoken.tokensettings.get`

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

`cloudiottoken.tokensettings.update`