Skip to main content

Required IAM Permissions

Required API Services

Ensure the following Google Cloud Platform (GCP) API services are enabled in your GCP project to deploy a host cluster:

tip

If you need help enabling a Google Cloud API service, check out the Enable and disable APIs guide from the official Google Cloud documentation.

Required Permissions

This table contains the required Google Cloud Platform (GCP) permissions to create a custom GCP role tailored for usage with Palette. When creating a custom role, ensure you include all the permissions listed below to prevent Palette from having issues when deploying a host cluster.

PermissionsDescription
compute.backendServices.createCreate backend services
compute.backendServices.deleteDelete backend services
compute.backendServices.getGet backend service information
compute.backendServices.listList backend services
compute.backendServices.updateUpdate backend services
compute.backendServices.useUse backend services
compute.disks.createCreate persistent disks
compute.firewalls.createCreate firewall rules
compute.firewalls.deleteDelete firewall rules
compute.firewalls.getGet firewall rule information
compute.firewalls.listList firewall rules
compute.globalAddresses.createCreate global addresses
compute.globalAddresses.deleteDelete global addresses
compute.globalAddresses.getGet global address information
compute.globalAddresses.listList global addresses
compute.globalAddresses.useUse global addresses
compute.globalForwardingRules.createCreate global forwarding rules
compute.globalForwardingRules.deleteDelete global forwarding rules
compute.globalForwardingRules.getGet global forwarding rule information
compute.globalForwardingRules.listList global forwarding rules
compute.healthChecks.createCreate health checks
compute.healthChecks.deleteDelete health checks
compute.healthChecks.getGet health check information
compute.healthChecks.listList health checks
compute.healthChecks.useReadOnlyUse health checks in read-only mode
compute.instanceGroups.createCreate instance groups
compute.instanceGroups.deleteDelete instance groups
compute.instanceGroups.getGet instance group information
compute.instanceGroups.listList instance groups
compute.instanceGroups.updateUpdate instance groups
compute.instanceGroups.useUse instance groups
compute.instances.createCreate instances
compute.instances.deleteDelete instances
compute.instances.getGet instance information
compute.instances.listList instances
compute.instances.setLabelsSet labels on instances
compute.instances.setMetadataSet metadata on instances
compute.instances.setServiceAccountSet service account on instances
compute.instances.setTagsSet tags on instances
compute.instances.useUse instances
compute.networks.createCreate networks
compute.networks.deleteDelete networks
compute.networks.getGet network information
compute.networks.listList networks
compute.networks.updatePolicyUpdate network policies
compute.regions.getGet region information
compute.regions.listList regions
compute.routers.createCreate routers
compute.routers.deleteDelete routers
compute.routers.getGet router information
compute.routes.deleteDelete routes
compute.routes.getGet route information
compute.routes.listList routes
compute.subnetworks.createCreate subnetwork
compute.subnetworks.deleteDelete subnetwork
compute.subnetworks.listList subnetworks
compute.subnetworks.useUse subnetwork
compute.zones.listList zones
container.clusters.createCreate cluster
container.clusters.deleteDelete cluster
container.clusters.getGet clusters
container.clusters.listList clusters
container.clusters.updateUpdate cluster
resourcemanager.projects.getGet details of a specified Google Cloud project.
resourcemanager.projects.listList all Google Cloud projects that the user has access to.
storage.objects.getGet details of a specified object in Google Cloud Storage.
storage.objects.listList all objects in a specified Google Cloud Storage bucket.
iam.serviceAccounts.actAsAct as the service account specified, allowing access to its resources.
iam.serviceAccounts.getGet details of a specified service account.
iam.serviceAccounts.getAccessTokenGet the Oauth2 access token for the service account.
iam.serviceAccounts.listList all service accounts available to the user.
serviceusage.quotas.getGet quota information for a specified Google Cloud service.
serviceusage.services.getGet details of a specified Google Cloud service.
serviceusage.services.listList all Google Cloud services available to the user.
recommender.containerDiagnosisInsights.*Access insights about diagnosed issues with Google Kubernetes Engine containers.
recommender.containerDiagnosisRecommendations.*Access recommendations for resolving diagnosed issues with Google Kubernetes Engine containers.
recommender.locations.*Access details about locations in Google Cloud Recommender.
recommender.networkAnalyzerGkeConnectivityInsights.*Access insights about network connectivity for Google Kubernetes Engine clusters.
recommender.networkAnalyzerGkeIpAddressInsights.*Access insights about IP address usage for Google Kubernetes Engine clusters.