Cloud

GCP IAM Policies

When you run rpk cloud byoc gcp apply to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the GCP API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users.

This page lists the IAM permissions the Redpanda agent service account uses to manage BYOC cluster resources. Your GCP account does not need these permissions for the initial Terraform bootstrap. This does not pertain to permissions for BYOVPC clusters.
No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters.

GCP IAM policies

The Redpanda agent service account for GCP is granted the following roles/permissions to manage Redpanda cluster resources:

Role/Permission	Description
compute.addresses.get	Allows a user to retrieve a specified address.
compute.autoscalers.get	Allows a user to retrieve a specified autoscaler.
compute.autoscalers.list	Allows a user to list autoscalers in a specified zone.
compute.firewalls.create	Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances.
compute.firewalls.delete	Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration.
compute.firewalls.get	Allows a user to view the details and configuration of a specific firewall rule for GCP projects.
compute.firewalls.update	Allows a user to modify a specified firewall.
compute.forwardingRules.create	Allows a user to create new forwarding rules within a project.
compute.forwardingRules.delete	Allows a user to delete existing forwarding rules within a project.
compute.forwardingRules.get	Allows a user to retrieve details about a specific forwarding rule within a project.
compute.forwardingRules.pscCreate	Allows a user to create Private Service Connect forwarding rules within a project.
compute.forwardingRules.pscDelete	Allows a user to delete Private Service Connect forwarding rules within a project.
compute.forwardingRules.pscSetLabels	Allows a user to set or modify labels on Private Service Connect forwarding rules within a project.
compute.forwardingRules.pscSetTarget	Allows a user to update the target service for a Private Service Connect forwarding rule.
compute.forwardingRules.pscUpdate	Allows a user to update Private Service Connect forwarding rules within a project.
compute.forwardingRules.setLabels	Allows a user to set, update, or remove labels on forwarding rules.
compute.forwardingRules.setTarget	Allows a user to update the target of an existing forwarding rule.
compute.forwardingRules.use	Allows a user to use a forwarding rule for traffic routing or other operations, without the ability to modify or delete it.
compute.globalOperations.get	Allows a user to retrieve information about a specific global operation in a GCP project.
compute.instanceGroupManagers.create	Allows a user to create a managed instance group.
compute.instanceGroupManagers.delete	Allows a user to delete a specified managed instance group.
compute.instanceGroupManagers.get	Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP.
compute.instanceGroupManagers.update	Allows a user to modify a specified managed instance group.
compute.instanceGroups.create	Allows a user to create an instance group.
compute.instanceGroups.delete	Allows a user to delete a specified instance group.
compute.instanceGroups.get	Allows a user to retrieve a specified instance group.
compute.instanceGroups.update	Allows a user to modify a specified instance group.
compute.instances.create	Allows a user to create an instance.
compute.instances.delete	Allows a user to delete a specified instance.
compute.instances.get	Allows a user to retrieve a specified instance.
compute.instances.list	Allows a user to list instances contained within a specified zone.
compute.instances.reset	Allows a user to perform a reset on the specified instance.
compute.instances.setDeletionProtection	Allows a user to enable deletion protection on a specified instance.
compute.instances.update	Allows a user to modify a specified instance.
compute.instances.use	Allows a user to use VM instances for operations, such as connecting to or interacting with the VM, but it does not grant the ability to modify or manage the instance itself.
compute.instanceTemplates.create	Allows a user to create an instance template.
compute.instanceTemplates.delete	Allows a user to delete a specified instance template.
compute.instanceTemplates.get	Allows a user to retrieve a specified instance template.
compute.networks.create	Allows a user to create a network.
compute.networks.delete	Allows a user to delete a specified network.
compute.networks.getEffectiveFirewalls	Allows a user to retrieve the effective firewalls for a specified network.
compute.networks.update	Allows a user to modify a specified network.
compute.networks.updatePolicy	Allows a user to update the configuration of existing GCP network resources.
compute.networks.use	Allows a user to use a VPC network and its associated resources for tasks like launching instances or using network services, but it does not grant permission to modify the network itself.
compute.projects.get	Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project.
compute.regionBackendServices.create	Allows a user to create backend services in a specific region for a regional load balancer.
compute.regionBackendServices.delete	Allows a user to delete backend services within a specific region.
compute.regionBackendServices.get	Allows a user to retrieve information about a backend service within a specific region.
compute.regionBackendServices.use	Allows a user to use a backend service in a specific region for operations like routing traffic, but does not grant the ability to modify or delete the backend service.
compute.regionNetworkEndpointGroups.attachNetworkEndpoints	Allows a user to attach network endpoints to a regional network endpoint group (NEG).
compute.regionNetworkEndpointGroups.create	Allows a user to create a NEG within a specific region.
compute.regionNetworkEndpointGroups.delete	Allows a user to delete a NEG in a specific region.
compute.regionNetworkEndpointGroups.detachNetworkEndpoints	Allows a user to remove network endpoints from a regional NEG.
compute.regionNetworkEndpointGroups.get	Allows a user to retrieve information about a specific NEG within a region.
compute.regionNetworkEndpointGroups.use	Allows a user to use a NEG within a specific region, typically for traffic routing and load balancing operations, without granting the ability to modify or delete the NEG itself.
compute.regions.get	Allows a user to retrieve a specified region.
compute.regions.list	Allows a user to retrieve a list of the available regions in a GCP project.
compute.routers.get	Allows a user to retrieve a specified router.
compute.serviceAttachments.create	Allows a user to create service attachments for Google Cloud services within a specific project or region.
compute.serviceAttachments.delete	Allows a user to delete service attachments that are configured in a project or region.
compute.serviceAttachments.get	Allows a user to retrieve information about an existing service attachment in a project or region.
compute.serviceAttachments.list	Allows a user to list all service attachments within a project or region.
compute.serviceAttachments.update	Allows a user to update or modify a service attachment in a project or region.
compute.subnetworks.get	Allows a user to retrieve a specified subnetwork.
compute.zoneOperations.get	Allows a user to retrieve a specified zone operation.
compute.zoneOperations.list	Allows a user to list zone operations.
compute.zones.get	Allows a user to retrieve a specified zone.
compute.zones.list	Allows a user to retrieve a list of the available zones in a GCP project.
dns.changes.create	Allows a user to create and update DNS resource record sets.
dns.changes.get	Allows a user to retrieve the information about an existing DNS change.
dns.changes.list	Allows a user to retrieve a list of changes to DNS resource record sets.
dns.managedZones.create	Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix.
dns.managedZones.delete	Allows a user or service account to delete managed zones within the Google Cloud DNS project.
dns.managedZones.get	Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service.
dns.managedZones.list	Allows a user or service account to list the managed zones within a Google Cloud DNS project.
dns.managedZones.update	Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project.
dns.projects.get	Allows a user to retrieve information about an existing GCP DNS project.
dns.resourceRecordSets.create	Allows a user to create resource record sets within a DNS zone.
dns.resourceRecordSets.delete	Allows a user to delete resource record sets within a DNS zone.
dns.resourceRecordSets.get	Allows a user or service account to retrieve information about resource record sets within a managed DNS zone.
dns.resourceRecordSets.list	Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone.
dns.resourceRecordSets.update	Allows a user or service account to make changes to the resource records in a DNS zone.
iam.roles.create	Allows a user to create a custom role for a GCP project or an organization.
iam.roles.delete	Allows a user to delete a custom role from a GCP project or an organization.
iam.roles.get	Allows a user to retrieve information about a specific role, including its permissions.
iam.roles.list	Allows a user to list predefined roles, or the custom roles for a project or an organization.
iam.roles.undelete	Allows a user to undelete a custom role from an organization or a project.
iam.roles.update	Allows a user to update an IAM custom role.
iam.serviceAccounts.actAs	Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user.
iam.serviceAccounts.create	Allows a user to create a service account for a project.
iam.serviceAccounts.delete	Allows a user to delete a service account for a project.
iam.serviceAccounts.get	Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account.
iam.serviceAccounts.getIamPolicy	Allows a user to retrieve the IAM policy for a service account.
iam.serviceAccounts.setIamPolicy	Allows a user to set the IAM policy for a service account.
iam.serviceAccounts.update	Allows a user to modify the service account for a project.
logging.logEntries.create	Allows a user to write log entries.
resourcemanager.projects.get	Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API.
resourcemanager.projects.getIamPolicy	Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist.
resourcemanager.projects.setIamPolicy	Allows a user or service account to set the IAM access control policy for the specified project.
storage.buckets.get	Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket’s name, location, storage class, access control settings, and other attributes.
storage.buckets.getIamPolicy	Allows a user to retrieve the IAM policy for a bucket.
storage.buckets.setIamPolicy	Allows a user to set the IAM policy for a bucket.
Storage Object Admin	Grants full control of bucket objects. The Redpanda Agent Storage Admin grant is scoped to a single bucket.
Kubernetes Engine Admin	Full management of Kubernetes clusters and their Kubernetes API objects.

Role/Permission

Description

compute.addresses.get

Allows a user to retrieve a specified address.

compute.autoscalers.get

Allows a user to retrieve a specified autoscaler.

compute.autoscalers.list

Allows a user to list autoscalers in a specified zone.

compute.firewalls.create

Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances.

compute.firewalls.delete

Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration.

compute.firewalls.get

Allows a user to view the details and configuration of a specific firewall rule for GCP projects.

compute.firewalls.update

Allows a user to modify a specified firewall.

compute.forwardingRules.create

Allows a user to create new forwarding rules within a project.

compute.forwardingRules.delete

Allows a user to delete existing forwarding rules within a project.

compute.forwardingRules.get

Allows a user to retrieve details about a specific forwarding rule within a project.

compute.forwardingRules.pscCreate

Allows a user to create Private Service Connect forwarding rules within a project.

compute.forwardingRules.pscDelete

Allows a user to delete Private Service Connect forwarding rules within a project.

compute.forwardingRules.pscSetLabels

Allows a user to set or modify labels on Private Service Connect forwarding rules within a project.

compute.forwardingRules.pscSetTarget

Allows a user to update the target service for a Private Service Connect forwarding rule.

compute.forwardingRules.pscUpdate

Allows a user to update Private Service Connect forwarding rules within a project.

compute.forwardingRules.setLabels

Allows a user to set, update, or remove labels on forwarding rules.

compute.forwardingRules.setTarget

Allows a user to update the target of an existing forwarding rule.

compute.forwardingRules.use

Allows a user to use a forwarding rule for traffic routing or other operations, without the ability to modify or delete it.

compute.globalOperations.get

Allows a user to retrieve information about a specific global operation in a GCP project.

compute.instanceGroupManagers.create

Allows a user to create a managed instance group.

compute.instanceGroupManagers.delete

Allows a user to delete a specified managed instance group.

compute.instanceGroupManagers.get

Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP.

compute.instanceGroupManagers.update

Allows a user to modify a specified managed instance group.

compute.instanceGroups.create

Allows a user to create an instance group.

compute.instanceGroups.delete

Allows a user to delete a specified instance group.

compute.instanceGroups.get

Allows a user to retrieve a specified instance group.

compute.instanceGroups.update

Allows a user to modify a specified instance group.

compute.instances.create

Allows a user to create an instance.

compute.instances.delete

Allows a user to delete a specified instance.

compute.instances.get

Allows a user to retrieve a specified instance.

compute.instances.list

Allows a user to list instances contained within a specified zone.

compute.instances.reset

Allows a user to perform a reset on the specified instance.

compute.instances.setDeletionProtection

Allows a user to enable deletion protection on a specified instance.

compute.instances.update

Allows a user to modify a specified instance.

compute.instances.use

Allows a user to use VM instances for operations, such as connecting to or interacting with the VM, but it does not grant the ability to modify or manage the instance itself.

compute.instanceTemplates.create

Allows a user to create an instance template.

compute.instanceTemplates.delete

Allows a user to delete a specified instance template.

compute.instanceTemplates.get

Allows a user to retrieve a specified instance template.

compute.networks.create

Allows a user to create a network.

compute.networks.delete

Allows a user to delete a specified network.

compute.networks.getEffectiveFirewalls

Allows a user to retrieve the effective firewalls for a specified network.

compute.networks.update

Allows a user to modify a specified network.

compute.networks.updatePolicy

Allows a user to update the configuration of existing GCP network resources.

compute.networks.use

Allows a user to use a VPC network and its associated resources for tasks like launching instances or using network services, but it does not grant permission to modify the network itself.

compute.projects.get

Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project.

compute.regionBackendServices.create

Allows a user to create backend services in a specific region for a regional load balancer.

compute.regionBackendServices.delete

Allows a user to delete backend services within a specific region.

compute.regionBackendServices.get

Allows a user to retrieve information about a backend service within a specific region.

compute.regionBackendServices.use

Allows a user to use a backend service in a specific region for operations like routing traffic, but does not grant the ability to modify or delete the backend service.

compute.regionNetworkEndpointGroups.attachNetworkEndpoints

Allows a user to attach network endpoints to a regional network endpoint group (NEG).

compute.regionNetworkEndpointGroups.create

Allows a user to create a NEG within a specific region.

compute.regionNetworkEndpointGroups.delete

Allows a user to delete a NEG in a specific region.

compute.regionNetworkEndpointGroups.detachNetworkEndpoints

Allows a user to remove network endpoints from a regional NEG.

compute.regionNetworkEndpointGroups.get

Allows a user to retrieve information about a specific NEG within a region.

compute.regionNetworkEndpointGroups.use

Allows a user to use a NEG within a specific region, typically for traffic routing and load balancing operations, without granting the ability to modify or delete the NEG itself.

compute.regions.get

Allows a user to retrieve a specified region.

compute.regions.list

Allows a user to retrieve a list of the available regions in a GCP project.

compute.routers.get

Allows a user to retrieve a specified router.

compute.serviceAttachments.create

Allows a user to create service attachments for Google Cloud services within a specific project or region.

compute.serviceAttachments.delete

Allows a user to delete service attachments that are configured in a project or region.

compute.serviceAttachments.get

Allows a user to retrieve information about an existing service attachment in a project or region.

compute.serviceAttachments.list

Allows a user to list all service attachments within a project or region.

compute.serviceAttachments.update

Allows a user to update or modify a service attachment in a project or region.

compute.subnetworks.get

Allows a user to retrieve a specified subnetwork.

compute.zoneOperations.get

Allows a user to retrieve a specified zone operation.

compute.zoneOperations.list

Allows a user to list zone operations.

compute.zones.get

Allows a user to retrieve a specified zone.

compute.zones.list

Allows a user to retrieve a list of the available zones in a GCP project.

dns.changes.create

Allows a user to create and update DNS resource record sets.

dns.changes.get

Allows a user to retrieve the information about an existing DNS change.

dns.changes.list

Allows a user to retrieve a list of changes to DNS resource record sets.

dns.managedZones.create

Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix.

dns.managedZones.delete

Allows a user or service account to delete managed zones within the Google Cloud DNS project.

dns.managedZones.get

Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service.

dns.managedZones.list

Allows a user or service account to list the managed zones within a Google Cloud DNS project.

dns.managedZones.update

Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project.

dns.projects.get

Allows a user to retrieve information about an existing GCP DNS project.

dns.resourceRecordSets.create

Allows a user to create resource record sets within a DNS zone.

dns.resourceRecordSets.delete

Allows a user to delete resource record sets within a DNS zone.

dns.resourceRecordSets.get

Allows a user or service account to retrieve information about resource record sets within a managed DNS zone.

dns.resourceRecordSets.list

Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone.

dns.resourceRecordSets.update

Allows a user or service account to make changes to the resource records in a DNS zone.

iam.roles.create

Allows a user to create a custom role for a GCP project or an organization.

iam.roles.delete

Allows a user to delete a custom role from a GCP project or an organization.

iam.roles.get

Allows a user to retrieve information about a specific role, including its permissions.

iam.roles.list

Allows a user to list predefined roles, or the custom roles for a project or an organization.

iam.roles.undelete

Allows a user to undelete a custom role from an organization or a project.

iam.roles.update

Allows a user to update an IAM custom role.

iam.serviceAccounts.actAs

Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user.

iam.serviceAccounts.create

Allows a user to create a service account for a project.

iam.serviceAccounts.delete

Allows a user to delete a service account for a project.

iam.serviceAccounts.get

Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account.

iam.serviceAccounts.getIamPolicy

Allows a user to retrieve the IAM policy for a service account.

iam.serviceAccounts.setIamPolicy

Allows a user to set the IAM policy for a service account.

iam.serviceAccounts.update

Allows a user to modify the service account for a project.

logging.logEntries.create

Allows a user to write log entries.

resourcemanager.projects.get

Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API.

resourcemanager.projects.getIamPolicy

Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist.

resourcemanager.projects.setIamPolicy

Allows a user or service account to set the IAM access control policy for the specified project.

storage.buckets.get

Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket’s name, location, storage class, access control settings, and other attributes.

storage.buckets.getIamPolicy

Allows a user to retrieve the IAM policy for a bucket.

storage.buckets.setIamPolicy

Allows a user to set the IAM policy for a bucket.

Storage Object Admin

Grants full control of bucket objects. The Redpanda Agent Storage Admin grant is scoped to a single bucket.

Kubernetes Engine Admin

Full management of Kubernetes clusters and their Kubernetes API objects.

Was this helpful?

group Ask in the community

mail Share your feedback

group_add Make a contribution

What do you think of this page?

Let us know more:

Let us contact you about your feedback:

GCP IAM Policies

GCP IAM policies

Simple online edits

Contribution guide