This page describes the Identity and Access Management (IAM) roles and permissions for Config Controller. To help you control access, Config Controller uses IAM roles and permissions. IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources.
Roles
Config Controller has predefined roles. The following table lists these roles and the permissions that the roles include:
| Role | Permissions | 
|---|---|
| Config Controller Admin( Full access to all Config Controller resources. | 
       
 
 
 | 
| KRM API Hosting AnthosApiEndpoint Service Agent( Grants permissions to resources managed by AnthosApiEndpoint. | 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 | 
| KRM API Hosting Service Agent( Gives KRM API Hosting service account access to managed resource. | 
 
 
       
 
 
       
 
       
 
       
 
       
 
       
 
 
 
 | 
| Config Controller Viewer( Read-only access to all Config Controller resources. | 
 
 
 
       
 
 
 
 
 | 
For more information on how you should assign roles, see Choose predefined roles. Or you can create your own custom roles that contain exactly the permissions that you specify.
Permissions
Permissions granted by roles
The following table lists the permissions that the caller must have to call each Config Controller method and which roles grant the permissions:
| Permission | Granted by roles | 
|---|---|
| krmapihosting.krmApiHosts.create | 
 | 
| krmapihosting.krmApiHosts.delete | 
 | 
| krmapihosting.krmApiHosts.get | 
 | 
| krmapihosting.krmApiHosts.getIamPolicy | 
 | 
| krmapihosting.krmApiHosts.list | 
 | 
| krmapihosting.krmApiHosts.setIamPolicy | 
 | 
| krmapihosting.krmApiHosts.update | 
 | 
| krmapihosting.locations.get | 
 | 
| krmapihosting.locations.list | 
 | 
| krmapihosting.operations.cancel | 
 | 
| krmapihosting.operations.delete | 
 | 
| krmapihosting.operations.get | 
 | 
| krmapihosting.operations.list | 
 | 
Permissions needed for actions
The following table lists which permission you need to perform specific actions.
| Required permission | Method | 
|---|---|
| krmapihosting.krmApiHosts.create | projects.locations.krmApiHosts.create | 
| krmapihosting.krmApiHosts.delete | projects.locations.krmApiHosts.delete | 
| krmapihosting.krmApiHosts.get | projects.locations.krmApiHosts.get | 
| krmapihosting.krmApiHosts.list | projects.locations.krmApiHosts.list | 
| krmapihosting.krmApiHosts.update | projects.locations.krmApiHosts.update | 
| krmapihosting.operations.get | projects.locations.operations.get | 
| krmapihosting.operations.list | projects.locations.operations.list | 
What's next
- Learn about IAM.