Docs Cloud Security Authorization GCP IAM Policies GCP IAM Policies Redpanda automatically assigns IAM policies to the Redpanda Cloud agent when it is deployed. The permissions grant the agent access to the BYOC cluster. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. See also: BYOC architecture This page lists the IAM permissions Redpanda needs to create a BYOC cluster. No IAM permissions are required for Redpanda Cloud users. GCP IAM policies The Redpanda agent service account for GCP is granted the following roles/permissions to manage Redpanda cluster resources: Role/Permission Description compute.addresses.get Allows a user to retrieve a specified address. compute.autoscalers.get Allows a user to retrieve a specified autoscaler. compute.autoscalers.list Allows a user to list autoscalers in a specified zone. compute.firewalls.create Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances. compute.firewalls.delete Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration. compute.firewalls.get Allows a user to view the details and configuration of a specific firewall rule for GCP projects. compute.firewalls.update Allows a user to modify a specified firewall. compute.globalOperations.get Allows a user to retrieve information about a specific global operation in a GCP project. compute.instanceGroupManagers.create Allows a user to create a managed instance group. compute.instanceGroupManagers.delete Allows a user to delete a specified managed instance group. compute.instanceGroupManagers.get Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP. compute.instanceGroupManagers.update Allows a user to modify a specified managed instance group. compute.instanceGroups.create Allows a user to create an instance group. compute.instanceGroups.delete Allows a user to delete a specified instance group. compute.instanceGroups.get Allows a user to retrieve a specified instance group. compute.instanceGroups.update Allows a user to modify a specified instance group. compute.instances.create Allows a user to create an instance. compute.instances.delete Allows a user to delete a specified instance. compute.instances.get Allows a user to retrieve a specified instance. compute.instances.list Allows a user to list instances contained within a specified zone. compute.instances.reset Allows a user to perform a reset on the specified instance. compute.instances.setDeletionProtection Allows a user to enable deletion protection on a specified instance. compute.instances.update Allows a user to modify a specified instance. compute.instanceTemplates.create Allows a user to create an instance template. compute.instanceTemplates.delete Allows a user to delete a specified instance template. compute.instanceTemplates.get Allows a user to retrieve a specified instance template. compute.networks.create Allows a user to create a network. compute.networks.delete Allows a user to delete a specified network. compute.networks.get Allows a user to retrieve a specified network. compute.networks.getEffectiveFirewalls Allows a user to retrieve the effective firewalls for a specified network. compute.networks.update Allows a user to modify a specified network. compute.networks.updatePolicy Allows a user to update the configuration of existing GCP network resources. compute.projects.get Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project. compute.regions.get Allows a user to retrieve a specified region. compute.regions.list Allows a user to retrieve a list of the available regions in a GCP project. compute.routers.get Allows a user to retrieve a specified router. compute.subnetworks.get Allows a user to retrieve a specified subnetwork. compute.zoneOperations.get Allows a user to retrieve a specified zone operation. compute.zoneOperations.list Allows a user to list zone operations. compute.zones.get Allows a user to retrieve a specified zone. compute.zones.list Allows a user to retrieve a list of the available zones in a GCP project. dns.changes.create Allows a user to create and update DNS resource record sets. dns.changes.get Allows a user to retrieve the information about an existing DNS change. dns.changes.list Allows a user to retrieve a list of changes to DNS resource record sets. dns.managedZones.create Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix. dns.managedZones.delete Allows a user or service account to delete managed zones within the Google Cloud DNS project. dns.managedZones.get Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service. dns.managedZones.list Allows a user or service account to list the managed zones within a Google Cloud DNS project. dns.managedZones.update Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project. dns.projects.get Allows a user to retrieve information about an existing GCP DNS project. dns.resourceRecordSets.create Allows a user to create resource record sets within a DNS zone. dns.resourceRecordSets.delete Allows a user to delete resource record sets within a DNS zone. dns.resourceRecordSets.get Allows a user or service account to retrieve information about resource record sets within a managed DNS zone. dns.resourceRecordSets.list Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone. dns.resourceRecordSets.update Allows a user or service account to make changes to the resource records in a DNS zone. iam.roles.create Allows a user to create a custom role for a GCP project or an organization. iam.roles.delete Allows a user to delete a custom role from a GCP project or an organization. iam.roles.get Allows a user to retrieve information about a specific role, including its permissions. iam.roles.list Allows a user to list predefined roles, or the custom roles for a project or an organization. iam.roles.undelete Allows a user to undelete a custom role from an organization or a project. iam.roles.update Allows a user to update an IAM custom role. iam.serviceAccounts.actAs Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user. iam.serviceAccounts.create Allows a user to create a service account for a project. iam.serviceAccounts.delete Allows a user to delete a service account for a project. iam.serviceAccounts.get Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account. iam.serviceAccounts.getIamPolicy Allows a user to retrieve the IAM policy for a service account. iam.serviceAccounts.setIamPolicy Allows a user to set the IAM policy for a service account. iam.serviceAccounts.update Allows a user to modify the service account for a project. logging.logEntries.create Allows user to write log entries. resourcemanager.projects.get Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API. resourcemanager.projects.getIamPolicy Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist. resourcemanager.projects.setIamPolicy Allows a user or service account to set the IAM access control policy for the specified project. storage.buckets.get Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket’s name, location, storage class, access control settings, and other attributes. storage.buckets.getIamPolicy Allows a user to retrieve the IAM policy for a bucket. storage.buckets.setIamPolicy Allows a user to set the IAM policy for a bucket. Storage Object Admin Grants full control of bucket objects. The Redpanda Agent Storage Admin grant is scoped to a single bucket. Kubernetes Engine Admin Full management of Kubernetes clusters and their Kubernetes API objects. Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Azure IAM Policies Encryption