Cloud Build roles and permissions

This page lists the IAM roles and permissions for Cloud Build. To search through all roles and permissions, see the role and permission index.

Cloud Build roles

Role Permissions

Role	Permissions
Cloud Build Approver (`roles/cloudbuild.builds.approver`) Can approve or reject pending builds.	`cloudbuild.builds.approve` `cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.locations.` `cloudbuild.locations.get` `cloudbuild.locations.list` `cloudbuild.operations.` `cloudbuild.operations.get` `cloudbuild.operations.list` `remotebuildexecution.blobs.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Provides access to perform builds.	`artifactregistry.aptartifacts.create` `artifactregistry.attachments.create` `artifactregistry.attachments.get` `artifactregistry.attachments.list` `artifactregistry.dockerimages.` `artifactregistry.dockerimages.get` `artifactregistry.dockerimages.list` `artifactregistry.files.download` `artifactregistry.files.get` `artifactregistry.files.list` `artifactregistry.files.update` `artifactregistry.files.upload` `artifactregistry.kfpartifacts.create` `artifactregistry.locations.` `artifactregistry.locations.get` `artifactregistry.locations.list` `artifactregistry.mavenartifacts.` `artifactregistry.mavenartifacts.get` `artifactregistry.mavenartifacts.list` `artifactregistry.npmpackages.` `artifactregistry.npmpackages.get` `artifactregistry.npmpackages.list` `artifactregistry.packages.get` `artifactregistry.packages.list` `artifactregistry.packages.update` `artifactregistry.projectsettings.get` `artifactregistry.pythonpackages.` `artifactregistry.pythonpackages.get` `artifactregistry.pythonpackages.list` `artifactregistry.repositories.createOnPush` `artifactregistry.repositories.deleteArtifacts` `artifactregistry.repositories.downloadArtifacts` `artifactregistry.repositories.get` `artifactregistry.repositories.list` `artifactregistry.repositories.listEffectiveTags` `artifactregistry.repositories.listTagBindings` `artifactregistry.repositories.readViaVirtualRepository` `artifactregistry.repositories.uploadArtifacts` `artifactregistry.rules.get` `artifactregistry.rules.list` `artifactregistry.tags.create` `artifactregistry.tags.get` `artifactregistry.tags.list` `artifactregistry.tags.update` `artifactregistry.versions.get` `artifactregistry.versions.list` `artifactregistry.yumartifacts.create` `cloudbuild.builds.create` `cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.builds.update` `cloudbuild.locations.` `cloudbuild.locations.get` `cloudbuild.locations.list` `cloudbuild.operations.*` `cloudbuild.operations.get` `cloudbuild.operations.list` `cloudbuild.workerpools.use` `containeranalysis.occurrences.create` `containeranalysis.occurrences.delete` `containeranalysis.occurrences.get` `containeranalysis.occurrences.list` `containeranalysis.occurrences.update` `logging.logEntries.create` `logging.logEntries.list` `logging.views.access` `pubsub.topics.create` `pubsub.topics.publish` `remotebuildexecution.blobs.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `source.repos.get` `source.repos.list` `storage.buckets.create` `storage.buckets.get` `storage.buckets.list` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.update`
Cloud Build Editor (`roles/cloudbuild.builds.editor`) Provides access to create and cancel builds. Lowest-level resources where you can grant this role: Project	`cloudbuild.builds.create` `cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.builds.update` `cloudbuild.locations.` `cloudbuild.locations.get` `cloudbuild.locations.list` `cloudbuild.operations.` `cloudbuild.operations.get` `cloudbuild.operations.list` `remotebuildexecution.blobs.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Provides access to view builds. Lowest-level resources where you can grant this role: Project	`cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.locations.` `cloudbuild.locations.get` `cloudbuild.locations.list` `cloudbuild.operations.` `cloudbuild.operations.get` `cloudbuild.operations.list` `remotebuildexecution.blobs.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Can manage connections and repositories.	`cloudbuild.connections.` `cloudbuild.connections.create` `cloudbuild.connections.delete` `cloudbuild.connections.fetchLinkableRepositories` `cloudbuild.connections.get` `cloudbuild.connections.getIamPolicy` `cloudbuild.connections.list` `cloudbuild.connections.setIamPolicy` `cloudbuild.connections.update` `cloudbuild.operations.` `cloudbuild.operations.get` `cloudbuild.operations.list` `cloudbuild.repositories.create` `cloudbuild.repositories.delete` `cloudbuild.repositories.fetchGitRefs` `cloudbuild.repositories.get` `cloudbuild.repositories.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Can view and list connections and repositories.	`cloudbuild.connections.fetchLinkableRepositories` `cloudbuild.connections.get` `cloudbuild.connections.getIamPolicy` `cloudbuild.connections.list` `cloudbuild.repositories.fetchGitRefs` `cloudbuild.repositories.get` `cloudbuild.repositories.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Can update Integrations	`cloudbuild.integrations.get` `cloudbuild.integrations.list` `cloudbuild.integrations.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Can create/delete Integrations	`cloudbuild.integrations.*` `cloudbuild.integrations.create` `cloudbuild.integrations.delete` `cloudbuild.integrations.get` `cloudbuild.integrations.list` `cloudbuild.integrations.update` `compute.firewalls.create` `compute.firewalls.get` `compute.firewalls.list` `compute.networks.get` `compute.networks.updatePolicy` `compute.regions.get` `compute.subnetworks.get` `compute.subnetworks.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Integrations Viewer (`roles/cloudbuild.integrationsViewer`) Can view Integrations	`cloudbuild.integrations.get` `cloudbuild.integrations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build Logging Service Agent (`roles/cloudbuild.loggingServiceAgent`) Gives the Cloud Build logging-specific service account access to write logs. Warning: Do not grant service agent roles to any principals except service agents.	`logging.buckets.write`
Cloud Build Read Only Token Accessor (`roles/cloudbuild.readTokenAccessor`) Can view the connection and access its read-only token.	`cloudbuild.connections.get` `cloudbuild.repositories.accessReadToken` `cloudbuild.repositories.get`
Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Gives Cloud Build service account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`artifactregistry.aptartifacts.create` `artifactregistry.attachments.create` `artifactregistry.attachments.get` `artifactregistry.attachments.list` `artifactregistry.dockerimages.` `artifactregistry.dockerimages.get` `artifactregistry.dockerimages.list` `artifactregistry.files.download` `artifactregistry.files.get` `artifactregistry.files.list` `artifactregistry.files.update` `artifactregistry.files.upload` `artifactregistry.kfpartifacts.create` `artifactregistry.locations.` `artifactregistry.locations.get` `artifactregistry.locations.list` `artifactregistry.mavenartifacts.` `artifactregistry.mavenartifacts.get` `artifactregistry.mavenartifacts.list` `artifactregistry.npmpackages.` `artifactregistry.npmpackages.get` `artifactregistry.npmpackages.list` `artifactregistry.packages.get` `artifactregistry.packages.list` `artifactregistry.packages.update` `artifactregistry.projectsettings.get` `artifactregistry.pythonpackages.` `artifactregistry.pythonpackages.get` `artifactregistry.pythonpackages.list` `artifactregistry.repositories.createOnPush` `artifactregistry.repositories.deleteArtifacts` `artifactregistry.repositories.downloadArtifacts` `artifactregistry.repositories.get` `artifactregistry.repositories.list` `artifactregistry.repositories.listEffectiveTags` `artifactregistry.repositories.listTagBindings` `artifactregistry.repositories.readViaVirtualRepository` `artifactregistry.repositories.uploadArtifacts` `artifactregistry.rules.get` `artifactregistry.rules.list` `artifactregistry.tags.create` `artifactregistry.tags.get` `artifactregistry.tags.list` `artifactregistry.tags.update` `artifactregistry.versions.get` `artifactregistry.versions.list` `artifactregistry.yumartifacts.create` `binaryauthorization.attestors.create` `binaryauthorization.attestors.delete` `binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `binaryauthorization.attestors.update` `binaryauthorization.attestors.verifyImageAttested` `cloudbuild.builds.create` `cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.builds.update` `cloudbuild.connections.get` `cloudbuild.locations.` `cloudbuild.locations.get` `cloudbuild.locations.list` `cloudbuild.operations.` `cloudbuild.operations.get` `cloudbuild.operations.list` `cloudbuild.repositories.accessReadToken` `cloudbuild.repositories.accessReadWriteToken` `cloudbuild.repositories.get` `cloudbuild.repositories.list` `cloudbuild.workerpools.use` `compute.firewalls.get` `compute.firewalls.list` `compute.networkAttachments.get` `compute.networkAttachments.update` `compute.networks.get` `compute.regionOperations.get` `compute.subnetworks.get` `containeranalysis.notes.attachOccurrence` `containeranalysis.notes.create` `containeranalysis.notes.delete` `containeranalysis.notes.get` `containeranalysis.notes.list` `containeranalysis.notes.update` `containeranalysis.occurrences.create` `containeranalysis.occurrences.delete` `containeranalysis.occurrences.get` `containeranalysis.occurrences.list` `containeranalysis.occurrences.update` `developerconnect.connections.get` `developerconnect.gitRepositoryLinks.fetchReadToken` `developerconnect.gitRepositoryLinks.fetchReadWriteToken` `developerconnect.gitRepositoryLinks.get` `iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `logging.buckets.create` `logging.buckets.get` `logging.buckets.list` `logging.logEntries.create` `logging.logEntries.list` `logging.views.access` `pubsub.subscriptions.create` `pubsub.subscriptions.delete` `pubsub.subscriptions.get` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.get` `pubsub.topics.publish` `remotebuildexecution.blobs.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicedirectory.endpoints.get` `servicedirectory.endpoints.getIamPolicy` `servicedirectory.endpoints.list` `servicedirectory.locations.` `servicedirectory.locations.get` `servicedirectory.locations.list` `servicedirectory.namespaces.get` `servicedirectory.namespaces.getIamPolicy` `servicedirectory.namespaces.list` `servicedirectory.networks.access` `servicedirectory.services.get` `servicedirectory.services.getIamPolicy` `servicedirectory.services.list` `servicedirectory.services.resolve` `serviceusage.services.use` `source.repos.get` `source.repos.list` `storage.buckets.create` `storage.buckets.get` `storage.buckets.list` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.update`
Cloud Build Token Accessor (`roles/cloudbuild.tokenAccessor`) Can view the connection and access its read/write and read-only tokens.	`cloudbuild.connections.get` `cloudbuild.repositories.accessReadToken` `cloudbuild.repositories.accessReadWriteToken` `cloudbuild.repositories.get` `cloudbuild.repositories.list`
Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Can update and view WorkerPools	`cloudbuild.workerpools.get` `cloudbuild.workerpools.list` `cloudbuild.workerpools.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Can create, delete, update, and view WorkerPools	`cloudbuild.workerpools.create` `cloudbuild.workerpools.delete` `cloudbuild.workerpools.get` `cloudbuild.workerpools.list` `cloudbuild.workerpools.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Build WorkerPool User (`roles/cloudbuild.workerPoolUser`) Can run builds in the WorkerPool	`cloudbuild.workerpools.use`
Cloud Build WorkerPool Viewer (`roles/cloudbuild.workerPoolViewer`) Can view WorkerPools	`cloudbuild.workerpools.get` `cloudbuild.workerpools.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Cloud Build Approver

(roles/cloudbuild.builds.approver)

Can approve or reject pending builds.

cloudbuild.builds.approve

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.locations.*

cloudbuild.locations.get
cloudbuild.locations.list

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Service Account

(roles/cloudbuild.builds.builder)

Provides access to perform builds.

artifactregistry.aptartifacts.create

artifactregistry.attachments.create

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.files.update

artifactregistry.files.upload

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.packages.update

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.locations.*

cloudbuild.locations.get
cloudbuild.locations.list

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

cloudbuild.workerpools.use

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

logging.logEntries.create

logging.logEntries.list

logging.views.access

pubsub.topics.create

pubsub.topics.publish

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Cloud Build Editor

(roles/cloudbuild.builds.editor)

Provides access to create and cancel builds.

Lowest-level resources where you can grant this role:

Project

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.locations.*

cloudbuild.locations.get
cloudbuild.locations.list

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Viewer

(roles/cloudbuild.builds.viewer)

Provides access to view builds.

Lowest-level resources where you can grant this role:

Project

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.locations.*

cloudbuild.locations.get
cloudbuild.locations.list

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Connection Admin

(roles/cloudbuild.connectionAdmin)

Can manage connections and repositories.

cloudbuild.connections.*

cloudbuild.connections.create
cloudbuild.connections.delete
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.get
cloudbuild.connections.getIamPolicy
cloudbuild.connections.list
cloudbuild.connections.setIamPolicy
cloudbuild.connections.update

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

cloudbuild.repositories.create

cloudbuild.repositories.delete

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Connection Viewer

(roles/cloudbuild.connectionViewer)

Can view and list connections and repositories.

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.get

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Editor

(roles/cloudbuild.integrationsEditor)

Can update Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Owner

(roles/cloudbuild.integrationsOwner)

Can create/delete Integrations

cloudbuild.integrations.*

cloudbuild.integrations.create
cloudbuild.integrations.delete
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update

compute.firewalls.create

compute.firewalls.get

compute.firewalls.list

compute.networks.get

compute.networks.updatePolicy

compute.regions.get

compute.subnetworks.get

compute.subnetworks.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Viewer

(roles/cloudbuild.integrationsViewer)

Can view Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Logging Service Agent

(roles/cloudbuild.loggingServiceAgent)

Gives the Cloud Build logging-specific service account access to write logs.

logging.buckets.write

Cloud Build Read Only Token Accessor

(roles/cloudbuild.readTokenAccessor)

Can view the connection and access its read-only token.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.get

Cloud Build Service Agent

(roles/cloudbuild.serviceAgent)

Gives Cloud Build service account access to managed resources.

artifactregistry.aptartifacts.create

artifactregistry.attachments.create

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.files.update

artifactregistry.files.upload

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.packages.update

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.connections.get

cloudbuild.locations.*

cloudbuild.locations.get
cloudbuild.locations.list

cloudbuild.operations.*

cloudbuild.operations.get
cloudbuild.operations.list

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.get

cloudbuild.repositories.list

cloudbuild.workerpools.use

compute.firewalls.get

compute.firewalls.list

compute.networkAttachments.get

compute.networkAttachments.update

compute.networks.get

compute.regionOperations.get

compute.subnetworks.get

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

developerconnect.connections.get

developerconnect.gitRepositoryLinks.fetchReadToken

developerconnect.gitRepositoryLinks.fetchReadWriteToken

developerconnect.gitRepositoryLinks.get

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.buckets.create

logging.buckets.get

logging.buckets.list

logging.logEntries.create

logging.logEntries.list

logging.views.access

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.get

pubsub.topics.publish

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.*

servicedirectory.locations.get
servicedirectory.locations.list

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.networks.access

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

serviceusage.services.use

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Cloud Build Token Accessor

(roles/cloudbuild.tokenAccessor)

Can view the connection and access its read/write and read-only tokens.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.get

cloudbuild.repositories.list

Cloud Build WorkerPool Editor

(roles/cloudbuild.workerPoolEditor)

Can update and view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build WorkerPool Owner

(roles/cloudbuild.workerPoolOwner)

Can create, delete, update, and view WorkerPools

cloudbuild.workerpools.create

cloudbuild.workerpools.delete

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build WorkerPool User

(roles/cloudbuild.workerPoolUser)

Can run builds in the WorkerPool

cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer

(roles/cloudbuild.workerPoolViewer)

Can view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build permissions

Permission	Included in roles
`cloudbuild.builds.approve`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Approver (`roles/cloudbuild.builds.approver`)
`cloudbuild.builds.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`cloudbuild.builds.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Approver (`roles/cloudbuild.builds.approver`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Cloud Functions Admin (`roles/cloudfunctions.admin`) Cloud Functions Developer (`roles/cloudfunctions.developer`) Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Application Design Center Admin (`roles/designcenter.admin`) Application Admin (`roles/designcenter.applicationAdmin`) Application Editor (`roles/designcenter.applicationEditor`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`cloudbuild.builds.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Approver (`roles/cloudbuild.builds.approver`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Cloud Functions Admin (`roles/cloudfunctions.admin`) Cloud Functions Developer (`roles/cloudfunctions.developer`) Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Application Design Center Admin (`roles/designcenter.admin`) Application Admin (`roles/designcenter.applicationAdmin`) Application Editor (`roles/designcenter.applicationEditor`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`cloudbuild.builds.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Dev Ops (`roles/iam.devOps`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`cloudbuild.connections.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.connections.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.connections.fetchLinkableRepositories`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`)
`cloudbuild.connections.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Cloud Build Read Only Token Accessor (`roles/cloudbuild.readTokenAccessor`) Cloud Build Token Accessor (`roles/cloudbuild.tokenAccessor`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`)
`cloudbuild.connections.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`cloudbuild.connections.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`cloudbuild.connections.setIamPolicy`	Owner (`roles/owner`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`)
`cloudbuild.connections.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.integrations.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.integrations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.integrations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Cloud Build Integrations Viewer (`roles/cloudbuild.integrationsViewer`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`)
`cloudbuild.integrations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Cloud Build Integrations Viewer (`roles/cloudbuild.integrationsViewer`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`cloudbuild.integrations.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Approver (`roles/cloudbuild.builds.approver`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Cloud Functions Admin (`roles/cloudfunctions.admin`) Cloud Functions Developer (`roles/cloudfunctions.developer`) Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`cloudbuild.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Approver (`roles/cloudbuild.builds.approver`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Cloud Functions Admin (`roles/cloudfunctions.admin`) Cloud Functions Developer (`roles/cloudfunctions.developer`) Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`cloudbuild.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Approver (`roles/cloudbuild.builds.approver`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Functions Admin (`roles/cloudfunctions.admin`) Cloud Functions Developer (`roles/cloudfunctions.developer`) Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`cloudbuild.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Approver (`roles/cloudbuild.builds.approver`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build Editor (`roles/cloudbuild.builds.editor`) Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Functions Admin (`roles/cloudfunctions.admin`) Cloud Functions Developer (`roles/cloudfunctions.developer`) Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Composer Worker (`roles/composer.worker`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Developer (`roles/dataflow.developer`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Data Scientist (`roles/iam.dataScientist`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`cloudbuild.repositories.accessReadToken`	Owner (`roles/owner`) Cloud Build Read Only Token Accessor (`roles/cloudbuild.readTokenAccessor`) Cloud Build Token Accessor (`roles/cloudbuild.tokenAccessor`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`)
`cloudbuild.repositories.accessReadWriteToken`	Owner (`roles/owner`) Cloud Build Token Accessor (`roles/cloudbuild.tokenAccessor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`cloudbuild.repositories.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.repositories.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.repositories.fetchGitRefs`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`)
`cloudbuild.repositories.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Cloud Build Read Only Token Accessor (`roles/cloudbuild.readTokenAccessor`) Cloud Build Token Accessor (`roles/cloudbuild.tokenAccessor`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) Firebase App Hosting Service Agent (`roles/firebaseapphosting.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`)
`cloudbuild.repositories.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Connection Admin (`roles/cloudbuild.connectionAdmin`) Cloud Build Connection Viewer (`roles/cloudbuild.connectionViewer`) Cloud Build Token Accessor (`roles/cloudbuild.tokenAccessor`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`)
`cloudbuild.workerpools.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.workerpools.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.workerpools.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Cloud Build WorkerPool Viewer (`roles/cloudbuild.workerPoolViewer`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`)
`cloudbuild.workerpools.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Cloud Build WorkerPool Viewer (`roles/cloudbuild.workerPoolViewer`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`cloudbuild.workerpools.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Dev Ops (`roles/iam.devOps`)
`cloudbuild.workerpools.use`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Build WorkerPool User (`roles/cloudbuild.workerPoolUser`) Composer Worker (`roles/composer.worker`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)

Cloud Build roles and permissions Stay organized with collections Save and categorize content based on your preferences.