When you evaluate workloads using Workload Manager, you inspect infrastructure resources that might span multiple Google Cloud projects. Understanding how IAM roles are split between your central evaluation project and the projects hosting your workloads ensures that you grant the minimum permissions required to run evaluations securely.
This document explains consumer and target projects and lists the roles and permissions that you need to create and run Workload Manager evaluations.
Consumer and target projects
Workload Manager evaluations scan resources across multiple projects which are called target projects, but the evaluation is stored in only one project called a consumer project.
You use the consumer project to access Workload Manager in the Google Cloud console, and to create and run evaluations. When you create an evaluation using the Google Cloud console, in the Evaluation scope section of the workflow, you specify the target projects that hold the resources you want to evaluate.
If the resources to evaluate are present in the same project where you create a Workload Manager evaluation, then the consumer project is also considered as one of your target projects.
Summary of required permissions to create and run an evaluation
The following table summarizes the permissions required for users in the consumer and target projects to create and run evaluations using Workload Manager. To get the permission that you need, ask your administrator to grant you a role that includes the required permission or create a custom role.
| Action | Consumer project | Target project |
|---|---|---|
| Enable Workload Manager API |
Permission: serviceusage.services.enablePredefined role that includes the permission: roles/serviceusage.serviceUsageAdmin
|
None |
| Create an evaluation |
Permission to create a service account: resourcemanager.projects.setIamPolicyPredefined role that includes the permission: roles/resourcemanager.projectIamAdmin
Required only when you create the first evaluation.
Predefined role that grants permission to create an evaluation:
Predefined role that grants permission to create alert notifications: To create an evaluation using custom rules, you need the following additional permissions: Predefined role that grants permission to read Cloud Asset Inventory data: Predefined role that grants permission to read rules stored in a Cloud Storage bucket: Predefined role that grants permission to write evaluation results to a BigQuery dataset: |
Permission to create a service account: resourcemanager.projects.setIamPolicyPredefined role that includes the permission: roles/resourcemanager.projectIamAdmin
Required only when you create the first evaluation. |
| Run an evaluation |
Permission: workloadmanager.evaluations.runPredefined role that includes the permission: roles/workloadmanager.evaluationAdmin
|
None |
| View evaluation results |
Permission: workloadmanager.results.listPredefined role that includes the permission: roles/workloadmanager.evaluationAdminor roles/workloadmanager.evaluationViewer
|
None |
Service agents for evaluations
Workload Manager uses service agents (roles/workloadmanager.serviceAgent and roles/workloadmanager.worker) to scan resources in target projects and execute evaluations from consumer projects.
To learn how Workload Manager creates service agents automatically or how to create them manually using the Workload Manager API, see Workload Manager service agents.
Additional roles and permissions
For the complete reference of all Workload Manager roles and permissions across all APIs, see Workload Manager IAM roles and permissions.
For an overview of IAM allow policies and conditional access in Workload Manager, see Access control with IAM.