Docs Cloud Security Authorization GCP IAM Policies GCP IAM Policies When you run rpk cloud byoc gcp apply to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the GCP API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users. This page lists the IAM permissions Redpanda requires to create BYOC clusters. This does not pertain to permissions for BYOVPC clusters. No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. GCP IAM policies The Redpanda agent service account for GCP is granted the following roles/permissions to manage Redpanda cluster resources: Role/Permission Description compute.addresses.get Allows a user to retrieve a specified address. compute.autoscalers.get Allows a user to retrieve a specified autoscaler. compute.autoscalers.list Allows a user to list autoscalers in a specified zone. compute.firewalls.create Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances. compute.firewalls.delete Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration. compute.firewalls.get Allows a user to view the details and configuration of a specific firewall rule for GCP projects. compute.firewalls.update Allows a user to modify a specified firewall. compute.forwardingRules.create Allows a user to create new forwarding rules within a project. compute.forwardingRules.delete Allows a user to delete existing forwarding rules within a project. compute.forwardingRules.get Allows a user to retrieve details about a specific forwarding rule within a project. compute.forwardingRules.pscCreate Allows a user to create Private Service Connect forwarding rules within a project. compute.forwardingRules.pscDelete Allows a user to delete Private Service Connect forwarding rules within a project. compute.forwardingRules.pscSetLabels Allows a user to set or modify labels on Private Service Connect forwarding rules within a project. compute.forwardingRules.pscSetTarget Allows a user to update the target service for a Private Service Connect forwarding rule. compute.forwardingRules.pscUpdate Allows a user to update Private Service Connect forwarding rules within a project. compute.forwardingRules.setLabels Allows a user to set, update, or remove labels on forwarding rules. compute.forwardingRules.setTarget Allows a user to update the target of an existing forwarding rule. compute.forwardingRules.use Allows a user to use a forwarding rule for traffic routing or other operations, without the ability to modify or delete it. compute.globalOperations.get Allows a user to retrieve information about a specific global operation in a GCP project. compute.instanceGroupManagers.create Allows a user to create a managed instance group. compute.instanceGroupManagers.delete Allows a user to delete a specified managed instance group. compute.instanceGroupManagers.get Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP. compute.instanceGroupManagers.update Allows a user to modify a specified managed instance group. compute.instanceGroups.create Allows a user to create an instance group. compute.instanceGroups.delete Allows a user to delete a specified instance group. compute.instanceGroups.get Allows a user to retrieve a specified instance group. compute.instanceGroups.update Allows a user to modify a specified instance group. compute.instances.create Allows a user to create an instance. compute.instances.delete Allows a user to delete a specified instance. compute.instances.get Allows a user to retrieve a specified instance. compute.instances.list Allows a user to list instances contained within a specified zone. compute.instances.reset Allows a user to perform a reset on the specified instance. compute.instances.setDeletionProtection Allows a user to enable deletion protection on a specified instance. compute.instances.update Allows a user to modify a specified instance. compute.instances.use Allows a user to use VM instances for operations, such as connecting to or interacting with the VM, but it does not grant the ability to modify or manage the instance itself. compute.instanceTemplates.create Allows a user to create an instance template. compute.instanceTemplates.delete Allows a user to delete a specified instance template. compute.instanceTemplates.get Allows a user to retrieve a specified instance template. compute.networks.create Allows a user to create a network. compute.networks.delete Allows a user to delete a specified network. compute.networks.getEffectiveFirewalls Allows a user to retrieve the effective firewalls for a specified network. compute.networks.update Allows a user to modify a specified network. compute.networks.updatePolicy Allows a user to update the configuration of existing GCP network resources. compute.networks.use Allows a user to use a VPC network and its associated resources for tasks like launching instances or using network services, but it does not grant permission to modify the network itself. compute.projects.get Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project. compute.regionBackendServices.create Allows a user to create backend services in a specific region for a regional load balancer. compute.regionBackendServices.delete Allows a user to delete backend services within a specific region. compute.regionBackendServices.get Allows a user to retrieve information about a backend service within a specific region. compute.regionBackendServices.use Allows a user to use a backend service in a specific region for operations like routing traffic, but does not grant the ability to modify or delete the backend service. compute.regionNetworkEndpointGroups.attachNetworkEndpoints Allows a user to attach network endpoints to a regional network endpoint group (NEG). compute.regionNetworkEndpointGroups.create Allows a user to create a NEG within a specific region. compute.regionNetworkEndpointGroups.delete Allows a user to delete a NEG in a specific region. compute.regionNetworkEndpointGroups.detachNetworkEndpoints Allows a user to remove network endpoints from a regional NEG. compute.regionNetworkEndpointGroups.get Allows a user to retrieve information about a specific NEG within a region. compute.regionNetworkEndpointGroups.use Allows a user to use a NEG within a specific region, typically for traffic routing and load balancing operations, without granting the ability to modify or delete the NEG itself. compute.regions.get Allows a user to retrieve a specified region. compute.regions.list Allows a user to retrieve a list of the available regions in a GCP project. compute.routers.get Allows a user to retrieve a specified router. compute.serviceAttachments.create Allows a user to create service attachments for Google Cloud services within a specific project or region. compute.serviceAttachments.delete Allows a user to delete service attachments that are configured in a project or region. compute.serviceAttachments.get Allows a user to retrieve information about an existing service attachment in a project or region. compute.serviceAttachments.list Allows a user to list all service attachments within a project or region. compute.serviceAttachments.update Allows a user to update or modify a service attachment in a project or region. compute.subnetworks.get Allows a user to retrieve a specified subnetwork. compute.zoneOperations.get Allows a user to retrieve a specified zone operation. compute.zoneOperations.list Allows a user to list zone operations. compute.zones.get Allows a user to retrieve a specified zone. compute.zones.list Allows a user to retrieve a list of the available zones in a GCP project. dns.changes.create Allows a user to create and update DNS resource record sets. dns.changes.get Allows a user to retrieve the information about an existing DNS change. dns.changes.list Allows a user to retrieve a list of changes to DNS resource record sets. dns.managedZones.create Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix. dns.managedZones.delete Allows a user or service account to delete managed zones within the Google Cloud DNS project. dns.managedZones.get Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service. dns.managedZones.list Allows a user or service account to list the managed zones within a Google Cloud DNS project. dns.managedZones.update Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project. dns.projects.get Allows a user to retrieve information about an existing GCP DNS project. dns.resourceRecordSets.create Allows a user to create resource record sets within a DNS zone. dns.resourceRecordSets.delete Allows a user to delete resource record sets within a DNS zone. dns.resourceRecordSets.get Allows a user or service account to retrieve information about resource record sets within a managed DNS zone. dns.resourceRecordSets.list Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone. dns.resourceRecordSets.update Allows a user or service account to make changes to the resource records in a DNS zone. iam.roles.create Allows a user to create a custom role for a GCP project or an organization. iam.roles.delete Allows a user to delete a custom role from a GCP project or an organization. iam.roles.get Allows a user to retrieve information about a specific role, including its permissions. iam.roles.list Allows a user to list predefined roles, or the custom roles for a project or an organization. iam.roles.undelete Allows a user to undelete a custom role from an organization or a project. iam.roles.update Allows a user to update an IAM custom role. iam.serviceAccounts.actAs Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user. iam.serviceAccounts.create Allows a user to create a service account for a project. iam.serviceAccounts.delete Allows a user to delete a service account for a project. iam.serviceAccounts.get Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account. iam.serviceAccounts.getIamPolicy Allows a user to retrieve the IAM policy for a service account. iam.serviceAccounts.setIamPolicy Allows a user to set the IAM policy for a service account. iam.serviceAccounts.update Allows a user to modify the service account for a project. logging.logEntries.create Allows a user to write log entries. resourcemanager.projects.get Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API. resourcemanager.projects.getIamPolicy Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist. resourcemanager.projects.setIamPolicy Allows a user or service account to set the IAM access control policy for the specified project. storage.buckets.get Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket’s name, location, storage class, access control settings, and other attributes. storage.buckets.getIamPolicy Allows a user to retrieve the IAM policy for a bucket. storage.buckets.setIamPolicy Allows a user to set the IAM policy for a bucket. Storage Object Admin Grants full control of bucket objects. The Redpanda Agent Storage Admin grant is scoped to a single bucket. Kubernetes Engine Admin Full management of Kubernetes clusters and their Kubernetes API objects. Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution AWS IAM Policies Azure IAM Policies