Project roles

Project roles define the basic permission structure required for operating services within a project—
including the ability to create, modify, delete, and view project resources.

Types of project roles

Project roles are classified into Project Admin, Project Member, and Project Reader.
They define the default access level to resources within a project.

Role	Permissions	Included sub-roles
Project Admin	Full access and control over project-level service and IAM resources. - Create, read, update, and delete (CRUD) project resources. - Add, remove, or modify user roles. - Manage service accounts and agents.	Project Member, Project Reader
Project Member	Can create, read, update, and delete project service resources. - Cannot modify IAM resources.	Project Reader
Project Reader	Read-only access to project resources (no modification or deletion).	–

Managing specific service resources

Management of specific service resources can also be performed via each Service role.
However, Project Admins and Project Members already have full CRUD permissions for all service resources within the project,
so additional service roles are not required.

Distinction from IAM-specific roles

Project roles include permissions to manage all resources within a project.
If you only need to manage IAM resources (such as users or service accounts) within a project,
assign IAM-specific roles (e.g., IAM Project Admin, IAM Project Viewer).

Project role permission matrix

The following table compares major permissions for IAM functions and service operations at the project level.

Function / Role	Project Admin	Project Member	Project Reader
Assign/remove/modify project user roles	✓
View project users and role list	✓		✓
Assign/remove/modify group roles	✓
View group role information	✓		✓
Create/delete service accounts	✓
Issue/delete service account credentials	✓
View service account	✓		✓
View credentials	✓		✓
View service agent accounts	✓		✓
Modify project settings	✓
View project information	✓	✓	✓
Create/modify/delete project service resources	✓	✓
View project service resources	✓	✓	✓

Role combinations

Multi-role assignment

Following the principle of least privilege, assign only the roles necessary to perform required tasks.
Since higher-level roles already include subordinate permissions, avoid redundant assignments.

Multiple roles should only be combined when each role’s scope or responsibility is clearly separated.

When both basic project roles and service-specific roles are assigned, the project role takes precedence.
The table below describes common role combinations and their scopes.

Role combination	Description
Project Admin or Member	Can create, modify, and delete most service resources without additional service roles. ⚠️ However, cannot access or modify IAM resources (users, groups, roles, service accounts, and credentials).
Project Reader + IAM Project Viewer	Provides read-only access to both project resources and IAM configurations. – Suitable for security administrators or audit personnel who need visibility into IAM setups.
Project Reader + Service Manager	Grants read access to all project resources and management privileges for specific services. – Ideal for delegating service-level operations. – Example: Project Reader + Object Storage Manager.
Project Admin + IAM Project Admin ❌	⚠️ Duplicate assignment: The Project Admin already has both project and IAM control permissions. → Additional IAM-specific roles are unnecessary; assign Project Admin only.
Project Member + Service Viewer ❌	⚠️ Duplicate assignment: The Project Member already has create/delete/read permissions for project resources. → Additional service roles are unnecessary; assign Project Member only.