Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Confidential Computing roles and permissions

This page lists the IAM roles and permissions for Confidential Computing. To search through all roles and permissions, see the role and permission index.

Confidential Computing roles

Role Permissions

Role	Permissions
Confidentialcomputing Admin (`roles/confidentialcomputing.admin`) Admin role for confidentialcomputing	`confidentialcomputing.*` `confidentialcomputing.challenges.create` `confidentialcomputing.challenges.verify` `confidentialcomputing.challenges.verifygke` `confidentialcomputing.locations.get` `confidentialcomputing.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Confidential GKE Workload User (`roles/confidentialcomputing.gkeWorkloadUser`) Grants the ability to generate a GKE attestation token and run a workload in a GKE cluster.	`confidentialcomputing.challenges.create` `confidentialcomputing.challenges.verifygke` `confidentialcomputing.locations.*` `confidentialcomputing.locations.get` `confidentialcomputing.locations.list` `logging.logEntries.create`
Confidentialcomputing Viewer (`roles/confidentialcomputing.viewer`) Viewer role for confidentialcomputing	`confidentialcomputing.locations.*` `confidentialcomputing.locations.get` `confidentialcomputing.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Confidential Space Workload User (`roles/confidentialcomputing.workloadUser`) Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.	`confidentialcomputing.challenges.create` `confidentialcomputing.challenges.verify` `confidentialcomputing.locations.*` `confidentialcomputing.locations.get` `confidentialcomputing.locations.list` `logging.logEntries.create`

Confidentialcomputing Admin

(roles/confidentialcomputing.admin)

Admin role for confidentialcomputing

confidentialcomputing.*

confidentialcomputing.challenges.create
confidentialcomputing.challenges.verify
confidentialcomputing.challenges.verifygke
confidentialcomputing.locations.get
confidentialcomputing.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Confidential GKE Workload User

(roles/confidentialcomputing.gkeWorkloadUser)

Grants the ability to generate a GKE attestation token and run a workload in a GKE cluster.

confidentialcomputing.challenges.create

confidentialcomputing.challenges.verifygke

confidentialcomputing.locations.*

confidentialcomputing.locations.get
confidentialcomputing.locations.list

logging.logEntries.create

Confidentialcomputing Viewer

(roles/confidentialcomputing.viewer)

Viewer role for confidentialcomputing

confidentialcomputing.locations.*

confidentialcomputing.locations.get
confidentialcomputing.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Confidential Space Workload User

(roles/confidentialcomputing.workloadUser)

Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.

confidentialcomputing.challenges.create

confidentialcomputing.challenges.verify

confidentialcomputing.locations.*

confidentialcomputing.locations.get
confidentialcomputing.locations.list

logging.logEntries.create

Confidential Computing permissions

Permission	Included in roles
`confidentialcomputing.challenges.create`	Owner (`roles/owner`) Editor (`roles/editor`) Confidentialcomputing Admin (`roles/confidentialcomputing.admin`) Confidential GKE Workload User (`roles/confidentialcomputing.gkeWorkloadUser`) Confidential Space Workload User (`roles/confidentialcomputing.workloadUser`)
`confidentialcomputing.challenges.verify`	Owner (`roles/owner`) Editor (`roles/editor`) Confidentialcomputing Admin (`roles/confidentialcomputing.admin`) Confidential Space Workload User (`roles/confidentialcomputing.workloadUser`)
`confidentialcomputing.challenges.verifygke`	Owner (`roles/owner`) Editor (`roles/editor`) Confidentialcomputing Admin (`roles/confidentialcomputing.admin`) Confidential GKE Workload User (`roles/confidentialcomputing.gkeWorkloadUser`)
`confidentialcomputing.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Confidentialcomputing Admin (`roles/confidentialcomputing.admin`) Confidential GKE Workload User (`roles/confidentialcomputing.gkeWorkloadUser`) Confidentialcomputing Viewer (`roles/confidentialcomputing.viewer`) Confidential Space Workload User (`roles/confidentialcomputing.workloadUser`) Support User (`roles/iam.supportUser`)
`confidentialcomputing.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Confidentialcomputing Admin (`roles/confidentialcomputing.admin`) Confidential GKE Workload User (`roles/confidentialcomputing.gkeWorkloadUser`) Confidentialcomputing Viewer (`roles/confidentialcomputing.viewer`) Confidential Space Workload User (`roles/confidentialcomputing.workloadUser`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)

Confidential Computing roles and permissions

Confidential Computing roles

Confidentialcomputing Admin

Confidential GKE Workload User

Confidentialcomputing Viewer

Confidential Space Workload User

Confidential Computing permissions

`confidentialcomputing.challenges.create`

`confidentialcomputing.challenges.verify`

`confidentialcomputing.challenges.verifygke`

`confidentialcomputing.locations.get`

`confidentialcomputing.locations.list`