Pub/Sub roles and permissions

This page lists the IAM roles and permissions for Pub/Sub. To search through all roles and permissions, see the role and permission index.

Pub/Sub roles

Role Permissions

Role	Permissions
Pub/Sub Admin (`roles/pubsub.admin`) Provides full access to topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `pubsub.` `pubsub.messageTransforms.validate` `pubsub.schemas.attach` `pubsub.schemas.commit` `pubsub.schemas.create` `pubsub.schemas.delete` `pubsub.schemas.get` `pubsub.schemas.getIamPolicy` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.rollback` `pubsub.schemas.setIamPolicy` `pubsub.schemas.validate` `pubsub.snapshots.create` `pubsub.snapshots.createTagBinding` `pubsub.snapshots.delete` `pubsub.snapshots.deleteTagBinding` `pubsub.snapshots.get` `pubsub.snapshots.getIamPolicy` `pubsub.snapshots.list` `pubsub.snapshots.listEffectiveTags` `pubsub.snapshots.listTagBindings` `pubsub.snapshots.seek` `pubsub.snapshots.setIamPolicy` `pubsub.snapshots.update` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.createTagBinding` `pubsub.subscriptions.delete` `pubsub.subscriptions.deleteTagBinding` `pubsub.subscriptions.get` `pubsub.subscriptions.getIamPolicy` `pubsub.subscriptions.list` `pubsub.subscriptions.listEffectiveTags` `pubsub.subscriptions.listTagBindings` `pubsub.subscriptions.setIamPolicy` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.createTagBinding` `pubsub.topics.delete` `pubsub.topics.deleteTagBinding` `pubsub.topics.detachSubscription` `pubsub.topics.get` `pubsub.topics.getIamPolicy` `pubsub.topics.list` `pubsub.topics.listEffectiveTags` `pubsub.topics.listTagBindings` `pubsub.topics.publish` `pubsub.topics.setIamPolicy` `pubsub.topics.update` `pubsub.topics.updateTag` `resourcemanager.projects.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.*` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Pub/Sub Editor (`roles/pubsub.editor`) Provides access to modify topics and subscriptions, and access to publish and consume messages. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `pubsub.messageTransforms.validate` `pubsub.schemas.attach` `pubsub.schemas.commit` `pubsub.schemas.create` `pubsub.schemas.delete` `pubsub.schemas.get` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.rollback` `pubsub.schemas.validate` `pubsub.snapshots.create` `pubsub.snapshots.createTagBinding` `pubsub.snapshots.delete` `pubsub.snapshots.deleteTagBinding` `pubsub.snapshots.get` `pubsub.snapshots.list` `pubsub.snapshots.listEffectiveTags` `pubsub.snapshots.listTagBindings` `pubsub.snapshots.seek` `pubsub.snapshots.update` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.createTagBinding` `pubsub.subscriptions.delete` `pubsub.subscriptions.deleteTagBinding` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.subscriptions.listEffectiveTags` `pubsub.subscriptions.listTagBindings` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.createTagBinding` `pubsub.topics.delete` `pubsub.topics.deleteTagBinding` `pubsub.topics.detachSubscription` `pubsub.topics.get` `pubsub.topics.list` `pubsub.topics.listEffectiveTags` `pubsub.topics.listTagBindings` `pubsub.topics.publish` `pubsub.topics.update` `pubsub.topics.updateTag` `resourcemanager.projects.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Pub/Sub Subscriber (`roles/pubsub.subscriber`) Provides access to consume messages from a subscription and to attach subscriptions to a topic. Lowest-level resources where you can grant this role: Snapshot Subscription Topic	`pubsub.snapshots.seek` `pubsub.subscriptions.consume` `pubsub.topics.attachSubscription`
Pub/Sub Viewer (`roles/pubsub.viewer`) Provides access to view topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`pubsub.messageTransforms.validate` `pubsub.schemas.get` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.validate` `pubsub.snapshots.get` `pubsub.snapshots.list` `pubsub.snapshots.listEffectiveTags` `pubsub.snapshots.listTagBindings` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.subscriptions.listEffectiveTags` `pubsub.subscriptions.listTagBindings` `pubsub.topics.get` `pubsub.topics.list` `pubsub.topics.listEffectiveTags` `pubsub.topics.listTagBindings` `resourcemanager.projects.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.*` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Pub/Sub Publisher (`roles/pubsub.publisher`) Provides access to publish messages to a topic. Lowest-level resources where you can grant this role: Topic	`pubsub.topics.publish`

Pub/Sub Admin

(roles/pubsub.admin)

Provides full access to topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

pubsub.*

pubsub.messageTransforms.validate
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.setIamPolicy
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.createTagBinding
pubsub.snapshots.delete
pubsub.snapshots.deleteTagBinding
pubsub.snapshots.get
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.listEffectiveTags
pubsub.snapshots.listTagBindings
pubsub.snapshots.seek
pubsub.snapshots.setIamPolicy
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.createTagBinding
pubsub.subscriptions.delete
pubsub.subscriptions.deleteTagBinding
pubsub.subscriptions.get
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.listEffectiveTags
pubsub.subscriptions.listTagBindings
pubsub.subscriptions.setIamPolicy
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.createTagBinding
pubsub.topics.delete
pubsub.topics.deleteTagBinding
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.listEffectiveTags
pubsub.topics.listTagBindings
pubsub.topics.publish
pubsub.topics.setIamPolicy
pubsub.topics.update
pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Pub/Sub Editor

(roles/pubsub.editor)

Provides access to modify topics and subscriptions, and access to publish and consume messages.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

pubsub.messageTransforms.validate

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.createTagBinding

pubsub.snapshots.delete

pubsub.snapshots.deleteTagBinding

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.listEffectiveTags

pubsub.snapshots.listTagBindings

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.createTagBinding

pubsub.subscriptions.delete

pubsub.subscriptions.deleteTagBinding

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.listEffectiveTags

pubsub.subscriptions.listTagBindings

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.createTagBinding

pubsub.topics.delete

pubsub.topics.deleteTagBinding

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.listEffectiveTags

pubsub.topics.listTagBindings

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Pub/Sub Subscriber

(roles/pubsub.subscriber)

Provides access to consume messages from a subscription and to attach subscriptions to a topic.

Lowest-level resources where you can grant this role:

Snapshot
Subscription
Topic

pubsub.snapshots.seek

pubsub.subscriptions.consume

pubsub.topics.attachSubscription

Pub/Sub Viewer

(roles/pubsub.viewer)

Provides access to view topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.messageTransforms.validate

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.listEffectiveTags

pubsub.snapshots.listTagBindings

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.listEffectiveTags

pubsub.subscriptions.listTagBindings

pubsub.topics.get

pubsub.topics.list

pubsub.topics.listEffectiveTags

pubsub.topics.listTagBindings

resourcemanager.projects.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Pub/Sub Publisher

(roles/pubsub.publisher)

Provides access to publish messages to a topic.

Lowest-level resources where you can grant this role:

Topic

pubsub.topics.publish

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
Cloud Pub/Sub Service Agent (`roles/pubsub.serviceAgent`) Grants Cloud Pub/Sub Service Account access to manage resources. Warning: Do not grant service agent roles to any principals except service agents.	`iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.implicitDelegation` `iam.serviceAccounts.list` `iam.serviceAccounts.signBlob` `iam.serviceAccounts.signJwt` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.use`

Cloud Pub/Sub Service Agent

(roles/pubsub.serviceAgent)

Grants Cloud Pub/Sub Service Account access to manage resources.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Pub/Sub permissions

Permission	Included in roles
`pubsub.messageTransforms.validate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.attach`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.commit`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.create`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.schemas.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.listRevisions`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.rollback`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.schemas.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.schemas.validate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.snapshots.create`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.snapshots.createTagBinding`	Owner (`roles/owner`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.snapshots.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.snapshots.deleteTagBinding`	Owner (`roles/owner`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.snapshots.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.snapshots.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Security Auditor (`roles/iam.securityAuditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.snapshots.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.snapshots.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.snapshots.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.snapshots.seek`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Composer Worker (`roles/composer.worker`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.snapshots.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.snapshots.update`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.subscriptions.consume`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Composer Worker (`roles/composer.worker`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.subscriptions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Security Center Admin (`roles/securitycenter.admin`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.subscriptions.createTagBinding`	Owner (`roles/owner`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.subscriptions.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.subscriptions.deleteTagBinding`	Owner (`roles/owner`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.subscriptions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.subscriptions.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Security Auditor (`roles/iam.securityAuditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.subscriptions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.subscriptions.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.subscriptions.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.subscriptions.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.subscriptions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Security Center Admin (`roles/securitycenter.admin`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.attachSubscription`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Composer Worker (`roles/composer.worker`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.createTagBinding`	Owner (`roles/owner`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.topics.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.deleteTagBinding`	Owner (`roles/owner`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Tag User (`roles/resourcemanager.tagUser`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.topics.detachSubscription`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)
`pubsub.topics.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Data Catalog Admin (`roles/datacatalog.admin`) Datacatalog Editor (`roles/datacatalog.editor`) Data Catalog Viewer (`roles/datacatalog.viewer`) Firebase Rules System (`roles/firebaserules.system`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Security Auditor (`roles/iam.securityAuditor`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`)
`pubsub.topics.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Firebase Rules System (`roles/firebaserules.system`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.topics.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Security Center Admin (`roles/securitycenter.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`)
`pubsub.topics.publish`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Firebase Rules System (`roles/firebaserules.system`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Pub/Sub Publisher (`roles/pubsub.publisher`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Artifact Registry Service Agent (`roles/artifactregistry.serviceAgent`) Google Batch Service Agent (`roles/batch.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Firebase Realtime Database Service Agent (`roles/firebasedatabase.serviceAgent`) Genomics Service Agent (`roles/genomics.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Cloud Life Sciences Service Agent (`roles/lifesciences.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Pub/Sub Lite Service Agent (`roles/pubsublite.serviceAgent`) Security Center Notification Service Agent (`roles/securitycenter.notificationServiceAgent`) Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Cloud Source Repositories Service Agent (`roles/sourcerepo.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`)
`pubsub.topics.update`	Owner (`roles/owner`) Editor (`roles/editor`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`)
`pubsub.topics.updateTag`	Owner (`roles/owner`) Editor (`roles/editor`) Data Catalog Admin (`roles/datacatalog.admin`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Composer Worker (`roles/composer.worker`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`)

Pub/Sub roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Pub/Sub roles

Pub/Sub Admin

Pub/Sub Editor

Pub/Sub Subscriber

Pub/Sub Viewer

Pub/Sub Publisher

Service agent roles

Cloud Pub/Sub Service Agent

Pub/Sub permissions

pubsub.messageTransforms.validate

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.getIamPolicy

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.setIamPolicy

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.createTagBinding

pubsub.snapshots.delete

pubsub.snapshots.deleteTagBinding

pubsub.snapshots.get

pubsub.snapshots.getIamPolicy

pubsub.snapshots.list

pubsub.snapshots.listEffectiveTags

pubsub.snapshots.listTagBindings

pubsub.snapshots.seek

pubsub.snapshots.setIamPolicy

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.createTagBinding

pubsub.subscriptions.delete

pubsub.subscriptions.deleteTagBinding

pubsub.subscriptions.get

pubsub.subscriptions.getIamPolicy

pubsub.subscriptions.list

pubsub.subscriptions.listEffectiveTags

pubsub.subscriptions.listTagBindings

pubsub.subscriptions.setIamPolicy

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.createTagBinding

pubsub.topics.delete

pubsub.topics.deleteTagBinding

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.listEffectiveTags

pubsub.topics.listTagBindings

pubsub.topics.publish

pubsub.topics.setIamPolicy

pubsub.topics.update

pubsub.topics.updateTag

Pub/Sub roles and permissions

`pubsub.messageTransforms.validate`

`pubsub.schemas.attach`

`pubsub.schemas.commit`

`pubsub.schemas.create`

`pubsub.schemas.delete`

`pubsub.schemas.get`

`pubsub.schemas.getIamPolicy`

`pubsub.schemas.list`

`pubsub.schemas.listRevisions`

`pubsub.schemas.rollback`

`pubsub.schemas.setIamPolicy`

`pubsub.schemas.validate`

`pubsub.snapshots.create`

`pubsub.snapshots.createTagBinding`

`pubsub.snapshots.delete`

`pubsub.snapshots.deleteTagBinding`

`pubsub.snapshots.get`

`pubsub.snapshots.getIamPolicy`

`pubsub.snapshots.list`

`pubsub.snapshots.listEffectiveTags`

`pubsub.snapshots.listTagBindings`

`pubsub.snapshots.seek`

`pubsub.snapshots.setIamPolicy`

`pubsub.snapshots.update`

`pubsub.subscriptions.consume`

`pubsub.subscriptions.create`

`pubsub.subscriptions.createTagBinding`

`pubsub.subscriptions.delete`

`pubsub.subscriptions.deleteTagBinding`

`pubsub.subscriptions.get`

`pubsub.subscriptions.getIamPolicy`

`pubsub.subscriptions.list`

`pubsub.subscriptions.listEffectiveTags`

`pubsub.subscriptions.listTagBindings`

`pubsub.subscriptions.setIamPolicy`

`pubsub.subscriptions.update`

`pubsub.topics.attachSubscription`

`pubsub.topics.create`

`pubsub.topics.createTagBinding`

`pubsub.topics.delete`

`pubsub.topics.deleteTagBinding`

`pubsub.topics.detachSubscription`

`pubsub.topics.get`

`pubsub.topics.getIamPolicy`

`pubsub.topics.list`

`pubsub.topics.listEffectiveTags`

`pubsub.topics.listTagBindings`

`pubsub.topics.publish`

`pubsub.topics.setIamPolicy`

`pubsub.topics.update`

`pubsub.topics.updateTag`