This page describes the Identity and Access Management (IAM) permissions that are necessary to perform specific Secure Web Proxy operations. It also explains how to create a custom IAM role and assign the required permissions to the role for managing various Secure Web Proxy resources.
Permissions
The following table lists the permissions that you require to perform specific operations in Secure Web Proxy. For more information, see the IAM permissions reference.
| Operation | Resource | Permission (method) |
|---|---|---|
| Create a policy | Gateway security policies | networksecurity.gatewaySecurityPolicies.create |
| Delete a policy | Gateway security policies | networksecurity.gatewaySecurityPolicies.delete |
| Retrieve a policy | Gateway security policies | networksecurity.gatewaySecurityPolicies.get |
| List policies | Gateway security policies | networksecurity.gatewaySecurityPolicies.list |
| Update a policy | Gateway security policies | networksecurity.gatewaySecurityPolicies.update |
| Create a rule | Gateway security policy rules | networksecurity.gatewaySecurityPolicyRules.create |
| Delete a rule | Gateway security policy rules | networksecurity.gatewaySecurityPolicyRules.delete |
| Retrieve a rule | Gateway security policy rules | networksecurity.gatewaySecurityPolicyRules.get |
| List rules | Gateway security policy rules | networksecurity.gatewaySecurityPolicyRules.list |
| Update a rule | Gateway security policy rules | networksecurity.gatewaySecurityPolicyRules.update |
| Retrieve an operation | Operations | networksecurity.operations.get |
| Create a TLS inspection policy | TLS inspection policies | networksecurity.tlsInspectionPolicies.create |
| Delete a TLS inspection policy | TLS inspection policies | networksecurity.tlsInspectionPolicies.delete |
| Retrieve a TLS inspection policy | TLS inspection policies | networksecurity.tlsInspectionPolicies.get |
| List TLS inspection policies | TLS inspection policies | networksecurity.tlsInspectionPolicies.list |
| Update a TLS inspection policy | TLS inspection policies | networksecurity.tlsInspectionPolicies.update |
| Attach a TLS inspection policy to a Secure Web Proxy policy | TLS inspection policies | networksecurity.tlsInspectionPolicies.use |
| Create a URL list | URL lists | networksecurity.urlLists.create |
| Delete a URL list | URL lists | networksecurity.urlLists.delete |
| Retrieve a URL list | URL lists | networksecurity.urlLists.get |
| List all URL lists | URL lists | networksecurity.urlLists.list |
| Update a URL list | URL lists | networksecurity.urlLists.update |
| Attach a URL list to a Secure Web Proxy rule | URL lists | networksecurity.urlLists.use |
| Provision and manage a Secure Web Proxy instance | Various Certificate Manager, Compute Engine, Secure Web Proxy, Resource Manager, and Cloud Monitoring resources |
|
Roles
To get the permissions that you need to provision a Secure Web Proxy instance, ask your administrator to grant you the following IAM roles on your project:
- To configure policies and provision a Secure Web Proxy instance:
Compute Network Admin role
(
roles/compute.networkAdmin) - To upload explicit Secure Web Proxy TLS certificates:
Certificate Manager Editor role
(
roles/certificatemanager.editor)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Optional: If you have a set of users who are responsible for managing your
Compute Engine organization security policies, then grant them the
Compute Organization Security Policy Admin role
(roles/compute.orgSecurityPolicyAdmin).
For more information about project roles and permissions, see the following:
- Identity and Access Management documentation
- Compute Engine API documentation
- Cloud Monitoring API documentation
What's next
- To complete the initial tasks to set up Secure Web Proxy, see Initial setup steps.