GKE Hub roles and permissions

This page lists the IAM roles and permissions for GKE Hub. To search through all roles and permissions, see the role and permission index.

GKE Hub roles

Role Permissions

Role	Permissions
Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Full access to Fleet resources.	`gkehub.features.` `gkehub.features.create` `gkehub.features.delete` `gkehub.features.get` `gkehub.features.getIamPolicy` `gkehub.features.list` `gkehub.features.setIamPolicy` `gkehub.features.update` `gkehub.fleet.` `gkehub.fleet.create` `gkehub.fleet.createFreeTrial` `gkehub.fleet.delete` `gkehub.fleet.get` `gkehub.fleet.getFreeTrial` `gkehub.fleet.update` `gkehub.fleet.updateFreeTrial` `gkehub.locations.` `gkehub.locations.get` `gkehub.locations.list` `gkehub.membershipbindings.` `gkehub.membershipbindings.create` `gkehub.membershipbindings.delete` `gkehub.membershipbindings.get` `gkehub.membershipbindings.list` `gkehub.membershipbindings.update` `gkehub.membershipfeatures.` `gkehub.membershipfeatures.create` `gkehub.membershipfeatures.delete` `gkehub.membershipfeatures.get` `gkehub.membershipfeatures.list` `gkehub.membershipfeatures.update` `gkehub.memberships.` `gkehub.memberships.create` `gkehub.memberships.delete` `gkehub.memberships.generateConnectManifest` `gkehub.memberships.get` `gkehub.memberships.getIamPolicy` `gkehub.memberships.list` `gkehub.memberships.setIamPolicy` `gkehub.memberships.update` `gkehub.namespaces.` `gkehub.namespaces.create` `gkehub.namespaces.delete` `gkehub.namespaces.get` `gkehub.namespaces.list` `gkehub.namespaces.update` `gkehub.operations.` `gkehub.operations.cancel` `gkehub.operations.delete` `gkehub.operations.get` `gkehub.operations.list` `gkehub.rbacrolebindings.` `gkehub.rbacrolebindings.create` `gkehub.rbacrolebindings.delete` `gkehub.rbacrolebindings.get` `gkehub.rbacrolebindings.list` `gkehub.rbacrolebindings.update` `gkehub.scopes.` `gkehub.scopes.create` `gkehub.scopes.delete` `gkehub.scopes.get` `gkehub.scopes.getIamPolicy` `gkehub.scopes.list` `gkehub.scopes.listBoundMemberships` `gkehub.scopes.setIamPolicy` `gkehub.scopes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
GKE Connect Agent (`roles/gkehub.connect`) Ability to set up GKE Connect between external clusters and Google.	`gkehub.endpoints.connect`
GKE Hub Cross Project Service Agent (`roles/gkehub.crossProjectServiceAgent`) Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration. Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`
Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Edit access to Fleet resources.	`gkehub.features.create` `gkehub.features.delete` `gkehub.features.get` `gkehub.features.getIamPolicy` `gkehub.features.list` `gkehub.features.update` `gkehub.fleet.` `gkehub.fleet.create` `gkehub.fleet.createFreeTrial` `gkehub.fleet.delete` `gkehub.fleet.get` `gkehub.fleet.getFreeTrial` `gkehub.fleet.update` `gkehub.fleet.updateFreeTrial` `gkehub.locations.` `gkehub.locations.get` `gkehub.locations.list` `gkehub.membershipbindings.` `gkehub.membershipbindings.create` `gkehub.membershipbindings.delete` `gkehub.membershipbindings.get` `gkehub.membershipbindings.list` `gkehub.membershipbindings.update` `gkehub.membershipfeatures.` `gkehub.membershipfeatures.create` `gkehub.membershipfeatures.delete` `gkehub.membershipfeatures.get` `gkehub.membershipfeatures.list` `gkehub.membershipfeatures.update` `gkehub.memberships.create` `gkehub.memberships.delete` `gkehub.memberships.generateConnectManifest` `gkehub.memberships.get` `gkehub.memberships.getIamPolicy` `gkehub.memberships.list` `gkehub.memberships.update` `gkehub.namespaces.` `gkehub.namespaces.create` `gkehub.namespaces.delete` `gkehub.namespaces.get` `gkehub.namespaces.list` `gkehub.namespaces.update` `gkehub.operations.` `gkehub.operations.cancel` `gkehub.operations.delete` `gkehub.operations.get` `gkehub.operations.list` `gkehub.rbacrolebindings.*` `gkehub.rbacrolebindings.create` `gkehub.rbacrolebindings.delete` `gkehub.rbacrolebindings.get` `gkehub.rbacrolebindings.list` `gkehub.rbacrolebindings.update` `gkehub.scopes.create` `gkehub.scopes.delete` `gkehub.scopes.get` `gkehub.scopes.getIamPolicy` `gkehub.scopes.list` `gkehub.scopes.listBoundMemberships` `gkehub.scopes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Full access to Connect Gateway.	`gkehub.gateway.*` `gkehub.gateway.delete` `gkehub.gateway.generateCredentials` `gkehub.gateway.get` `gkehub.gateway.patch` `gkehub.gateway.post` `gkehub.gateway.put` `gkehub.gateway.stream` `gkehub.memberships.get` `serviceusage.services.get`
Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Edit access to Connect Gateway.	`gkehub.gateway.delete` `gkehub.gateway.generateCredentials` `gkehub.gateway.get` `gkehub.gateway.patch` `gkehub.gateway.post` `gkehub.gateway.put` `gkehub.memberships.get` `serviceusage.services.get`
Connect Gateway Reader (`roles/gkehub.gatewayReader`) Read-only access to Connect Gateway.	`gkehub.gateway.generateCredentials` `gkehub.gateway.get` `gkehub.memberships.get` `serviceusage.services.get`
Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings.	`gkehub.namespaces.create` `gkehub.namespaces.delete` `gkehub.namespaces.get` `gkehub.namespaces.list` `gkehub.rbacrolebindings.*` `gkehub.rbacrolebindings.create` `gkehub.rbacrolebindings.delete` `gkehub.rbacrolebindings.get` `gkehub.rbacrolebindings.list` `gkehub.rbacrolebindings.update` `gkehub.scopes.get` `gkehub.scopes.getIamPolicy` `gkehub.scopes.listBoundMemberships` `gkehub.scopes.setIamPolicy`
Fleet Scope Editor (`roles/gkehub.scopeEditor`) Edit access to Namespaces under Fleet Scopes.	`gkehub.namespaces.create` `gkehub.namespaces.delete` `gkehub.namespaces.get` `gkehub.namespaces.list` `gkehub.rbacrolebindings.get` `gkehub.rbacrolebindings.list` `gkehub.scopes.get` `gkehub.scopes.getIamPolicy` `gkehub.scopes.listBoundMemberships`
Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Role for project-level permissions for editor of Fleet Scopes.	`gkehub.gateway.delete` `gkehub.gateway.generateCredentials` `gkehub.gateway.get` `gkehub.gateway.patch` `gkehub.gateway.post` `gkehub.gateway.put` `gkehub.memberships.get` `gkehub.operations.get` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.get`
Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Viewer of Fleet Scopes and associated resources.	`gkehub.namespaces.get` `gkehub.namespaces.list` `gkehub.rbacrolebindings.get` `gkehub.rbacrolebindings.list` `gkehub.scopes.get` `gkehub.scopes.getIamPolicy` `gkehub.scopes.listBoundMemberships`
Fleet Project-level Scope Viewer (`roles/gkehub.scopeViewerProjectLevel`) Role for project-level permissions for viewer of Fleet Scopes.	`gkehub.gateway.generateCredentials` `gkehub.gateway.get` `gkehub.memberships.get` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.get`
GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Gives the GKE Hub service agent access to Cloud Platform resources. Warning: Do not grant service agent roles to any principals except service agents.	`container.clusterRoleBindings.` `container.clusterRoleBindings.create` `container.clusterRoleBindings.delete` `container.clusterRoleBindings.get` `container.clusterRoleBindings.list` `container.clusterRoleBindings.update` `container.clusterRoles.` `container.clusterRoles.bind` `container.clusterRoles.create` `container.clusterRoles.delete` `container.clusterRoles.escalate` `container.clusterRoles.get` `container.clusterRoles.list` `container.clusterRoles.update` `container.clusters.connect` `container.clusters.get` `container.clusters.list` `container.clusters.update` `container.customResourceDefinitions.create` `container.customResourceDefinitions.delete` `container.customResourceDefinitions.get` `container.customResourceDefinitions.list` `container.customResourceDefinitions.update` `container.namespaces.get` `container.operations.get` `container.thirdPartyObjects.` `container.thirdPartyObjects.create` `container.thirdPartyObjects.delete` `container.thirdPartyObjects.get` `container.thirdPartyObjects.list` `container.thirdPartyObjects.update` `gkehub.features.create` `gkehub.features.get` `gkehub.features.list` `gkehub.fleet.create` `gkehub.fleet.get` `gkehub.gateway.delete` `gkehub.gateway.generateCredentials` `gkehub.gateway.get` `gkehub.gateway.patch` `gkehub.gateway.post` `gkehub.gateway.put` `gkehub.locations.` `gkehub.locations.get` `gkehub.locations.list` `gkehub.memberships.create` `gkehub.memberships.generateConnectManifest` `gkehub.memberships.get` `gkehub.memberships.list` `gkehub.operations.get` `gkemulticloud.awsClusters.get` `gkemulticloud.azureClusters.get` `gkeonprem.bareMetalClusters.get` `gkeonprem.vmwareClusters.get` `logging.buckets.create` `logging.buckets.get` `logging.buckets.list` `logging.buckets.update` `logging.exclusions.` `logging.exclusions.create` `logging.exclusions.delete` `logging.exclusions.get` `logging.exclusions.list` `logging.exclusions.update` `logging.sinks.` `logging.sinks.create` `logging.sinks.delete` `logging.sinks.get` `logging.sinks.list` `logging.sinks.update` `logging.views.create` `logging.views.get` `logging.views.list` `logging.views.update` `monitoring.metricsScopes.link` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.get` `serviceusage.services.list`
Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Read-only access to Fleets and related resources.	`gkehub.features.get` `gkehub.features.getIamPolicy` `gkehub.features.list` `gkehub.fleet.get` `gkehub.fleet.getFreeTrial` `gkehub.locations.*` `gkehub.locations.get` `gkehub.locations.list` `gkehub.membershipbindings.get` `gkehub.membershipbindings.list` `gkehub.membershipfeatures.get` `gkehub.membershipfeatures.list` `gkehub.memberships.generateConnectManifest` `gkehub.memberships.get` `gkehub.memberships.getIamPolicy` `gkehub.memberships.list` `gkehub.namespaces.get` `gkehub.namespaces.list` `gkehub.operations.get` `gkehub.operations.list` `gkehub.rbacrolebindings.get` `gkehub.rbacrolebindings.list` `gkehub.scopes.get` `gkehub.scopes.list` `gkehub.scopes.listBoundMemberships` `resourcemanager.projects.get` `resourcemanager.projects.list`

Fleet Admin (formerly GKE Hub Admin)

(roles/gkehub.admin)

Full access to Fleet resources.

gkehub.features.*

gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update

gkehub.fleet.*

gkehub.fleet.create
gkehub.fleet.createFreeTrial
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.fleet.update
gkehub.fleet.updateFreeTrial

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.membershipbindings.*

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update

gkehub.membershipfeatures.*

gkehub.membershipfeatures.create
gkehub.membershipfeatures.delete
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.membershipfeatures.update

gkehub.memberships.*

gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.setIamPolicy
gkehub.memberships.update

gkehub.namespaces.*

gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update

gkehub.operations.*

gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list

gkehub.rbacrolebindings.*

gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update

gkehub.scopes.*

gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.listBoundMemberships
gkehub.scopes.setIamPolicy
gkehub.scopes.update

resourcemanager.projects.get

resourcemanager.projects.list

GKE Connect Agent

(roles/gkehub.connect)

Ability to set up GKE Connect between external clusters and Google.

gkehub.endpoints.connect

GKE Hub Cross Project Service Agent

(roles/gkehub.crossProjectServiceAgent)

Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration.

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Fleet Editor (formerly GKE Hub Editor)

(roles/gkehub.editor)

Edit access to Fleet resources.

gkehub.features.create

gkehub.features.delete

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.features.update

gkehub.fleet.*

gkehub.fleet.create
gkehub.fleet.createFreeTrial
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.fleet.update
gkehub.fleet.updateFreeTrial

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.membershipbindings.*

gkehub.membershipbindings.create
gkehub.membershipbindings.delete
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipbindings.update

gkehub.membershipfeatures.*

gkehub.membershipfeatures.create
gkehub.membershipfeatures.delete
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.membershipfeatures.update

gkehub.memberships.create

gkehub.memberships.delete

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.memberships.update

gkehub.namespaces.*

gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.namespaces.update

gkehub.operations.*

gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list

gkehub.rbacrolebindings.*

gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

gkehub.scopes.update

resourcemanager.projects.get

resourcemanager.projects.list

Connect Gateway Admin

(roles/gkehub.gatewayAdmin)

Full access to Connect Gateway.

gkehub.gateway.*

gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.gateway.stream

gkehub.memberships.get

serviceusage.services.get

Connect Gateway Editor

(roles/gkehub.gatewayEditor)

Edit access to Connect Gateway.

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.memberships.get

serviceusage.services.get

Connect Gateway Reader

(roles/gkehub.gatewayReader)

Read-only access to Connect Gateway.

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.memberships.get

serviceusage.services.get

Fleet Scope Admin

(roles/gkehub.scopeAdmin)

Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings.

gkehub.namespaces.create

gkehub.namespaces.delete

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.rbacrolebindings.*

gkehub.rbacrolebindings.create
gkehub.rbacrolebindings.delete
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.rbacrolebindings.update

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.listBoundMemberships

gkehub.scopes.setIamPolicy

Fleet Scope Editor

(roles/gkehub.scopeEditor)

Edit access to Namespaces under Fleet Scopes.

gkehub.namespaces.create

gkehub.namespaces.delete

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.listBoundMemberships

Fleet Project-level Scope Editor

(roles/gkehub.scopeEditorProjectLevel)

Role for project-level permissions for editor of Fleet Scopes.

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.memberships.get

gkehub.operations.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

Fleet Scope Viewer

(roles/gkehub.scopeViewer)

Viewer of Fleet Scopes and associated resources.

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.listBoundMemberships

Fleet Project-level Scope Viewer

(roles/gkehub.scopeViewerProjectLevel)

Role for project-level permissions for viewer of Fleet Scopes.

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.memberships.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

GKE Hub Service Agent

(roles/gkehub.serviceAgent)

Gives the GKE Hub service agent access to Cloud Platform resources.

container.clusterRoleBindings.*

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update

container.clusterRoles.*

container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update

container.clusters.connect

container.clusters.get

container.clusters.list

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.get

container.operations.get

container.thirdPartyObjects.*

container.thirdPartyObjects.create
container.thirdPartyObjects.delete
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update

gkehub.features.create

gkehub.features.get

gkehub.features.list

gkehub.fleet.create

gkehub.fleet.get

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.memberships.create

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.list

gkehub.operations.get

gkemulticloud.awsClusters.get

gkemulticloud.azureClusters.get

gkeonprem.bareMetalClusters.get

gkeonprem.vmwareClusters.get

logging.buckets.create

logging.buckets.get

logging.buckets.list

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.views.create

logging.views.get

logging.views.list

logging.views.update

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Fleet Viewer (formerly GKE Hub Viewer)

(roles/gkehub.viewer)

Read-only access to Fleets and related resources.

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.fleet.get

gkehub.fleet.getFreeTrial

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.membershipbindings.get

gkehub.membershipbindings.list

gkehub.membershipfeatures.get

gkehub.membershipfeatures.list

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.operations.get

gkehub.operations.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

resourcemanager.projects.get

resourcemanager.projects.list

GKE Hub permissions

Permission	Included in roles
`gkehub.endpoints.connect`	Owner (`roles/owner`) Velostrata Manager (`roles/cloudmigration.inframanager`) Velostrata Manager Connection Agent (`roles/cloudmigration.velostrataconnect`) GKE Connect Agent (`roles/gkehub.connect`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.features.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.features.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.features.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Agent (`roles/anthos.serviceAgent`) Anthos Audit Service Agent (`roles/anthosaudit.serviceAgent`) Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.features.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.features.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.features.setIamPolicy`	Owner (`roles/owner`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.features.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.fleet.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.fleet.createFreeTrial`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.fleet.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.fleet.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.fleet.getFreeTrial`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.fleet.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.fleet.updateFreeTrial`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.gateway.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.gateway.generateCredentials`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Connect Gateway Reader (`roles/gkehub.gatewayReader`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Fleet Project-level Scope Viewer (`roles/gkehub.scopeViewerProjectLevel`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.gateway.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Connect Gateway Reader (`roles/gkehub.gatewayReader`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Fleet Project-level Scope Viewer (`roles/gkehub.scopeViewerProjectLevel`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.gateway.patch`	Owner (`roles/owner`) Editor (`roles/editor`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.gateway.post`	Owner (`roles/owner`) Editor (`roles/editor`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.gateway.put`	Owner (`roles/owner`) Editor (`roles/editor`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.gateway.stream`	Owner (`roles/owner`) Editor (`roles/editor`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`)
`gkehub.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Agent (`roles/anthos.serviceAgent`) Anthos Audit Service Agent (`roles/anthosaudit.serviceAgent`) Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Agent (`roles/anthos.serviceAgent`) Anthos Audit Service Agent (`roles/anthosaudit.serviceAgent`) Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.membershipbindings.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.membershipbindings.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.membershipbindings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.membershipbindings.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.membershipbindings.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.membershipfeatures.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.membershipfeatures.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.membershipfeatures.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.membershipfeatures.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.membershipfeatures.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.memberships.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.memberships.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.memberships.generateConnectManifest`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.memberships.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Connect Gateway Reader (`roles/gkehub.gatewayReader`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Fleet Project-level Scope Viewer (`roles/gkehub.scopeViewerProjectLevel`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Agent (`roles/anthos.serviceAgent`) Anthos Audit Service Agent (`roles/anthosaudit.serviceAgent`) Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.memberships.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.memberships.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Agent (`roles/anthos.serviceAgent`) Anthos Audit Service Agent (`roles/anthosaudit.serviceAgent`) Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Anthos Policy Controller Service Agent (`roles/anthospolicycontroller.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Vertex AI Online Prediction Service Agent (`roles/aiplatform.onlinePredictionServiceAgent`)
`gkehub.memberships.setIamPolicy`	Owner (`roles/owner`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.memberships.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.namespaces.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.namespaces.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.namespaces.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.namespaces.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.namespaces.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`)
`gkehub.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Project-level Scope Editor (`roles/gkehub.scopeEditorProjectLevel`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Edge Container Service Agent (`roles/edgecontainer.serviceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.rbacrolebindings.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.rbacrolebindings.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.rbacrolebindings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.rbacrolebindings.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.rbacrolebindings.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.scopes.create`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.scopes.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.scopes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.scopes.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)
`gkehub.scopes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.scopes.listBoundMemberships`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Fleet Scope Editor (`roles/gkehub.scopeEditor`) Fleet Scope Viewer (`roles/gkehub.scopeViewer`) Fleet Viewer (formerly GKE Hub Viewer) (`roles/gkehub.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Game Services Service Agent (`roles/gameservices.serviceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Support Service Agent (`roles/anthossupport.serviceAgent`)
`gkehub.scopes.setIamPolicy`	Owner (`roles/owner`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Scope Admin (`roles/gkehub.scopeAdmin`) Security Admin (`roles/iam.securityAdmin`)
`gkehub.scopes.update`	Owner (`roles/owner`) Editor (`roles/editor`) Fleet Admin (formerly GKE Hub Admin) (`roles/gkehub.admin`) Fleet Editor (formerly GKE Hub Editor) (`roles/gkehub.editor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. KRM API Hosting AnthosApiEndpoint Service Agent (`roles/krmapihosting.anthosApiEndpointServiceAgent`) Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`)

GKE Hub roles and permissions

GKE Hub roles

Fleet Admin (formerly GKE Hub Admin)

GKE Connect Agent

GKE Hub Cross Project Service Agent

Fleet Editor (formerly GKE Hub Editor)

Connect Gateway Admin

Connect Gateway Editor

Connect Gateway Reader

Fleet Scope Admin

Fleet Scope Editor

Fleet Project-level Scope Editor

Fleet Scope Viewer

Fleet Project-level Scope Viewer

GKE Hub Service Agent

Fleet Viewer (formerly GKE Hub Viewer)

GKE Hub permissions

gkehub.endpoints.connect

gkehub.features.create

gkehub.features.delete

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.features.setIamPolicy

gkehub.features.update

gkehub.fleet.create

gkehub.fleet.createFreeTrial

gkehub.fleet.delete

gkehub.fleet.get

gkehub.fleet.getFreeTrial

gkehub.fleet.update

gkehub.fleet.updateFreeTrial

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.gateway.stream

gkehub.locations.get

gkehub.locations.list

gkehub.membershipbindings.create

gkehub.membershipbindings.delete

gkehub.membershipbindings.get

gkehub.membershipbindings.list

gkehub.membershipbindings.update

gkehub.membershipfeatures.create

gkehub.membershipfeatures.delete

gkehub.membershipfeatures.get

gkehub.membershipfeatures.list

gkehub.membershipfeatures.update

gkehub.memberships.create

gkehub.memberships.delete

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.memberships.setIamPolicy

gkehub.memberships.update

gkehub.namespaces.create

gkehub.namespaces.delete

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.namespaces.update

gkehub.operations.cancel

gkehub.operations.delete

gkehub.operations.get

gkehub.operations.list

gkehub.rbacrolebindings.create

gkehub.rbacrolebindings.delete

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.rbacrolebindings.update

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

gkehub.scopes.setIamPolicy

`gkehub.endpoints.connect`

`gkehub.features.create`

`gkehub.features.delete`

`gkehub.features.get`

`gkehub.features.getIamPolicy`

`gkehub.features.list`

`gkehub.features.setIamPolicy`

`gkehub.features.update`

`gkehub.fleet.create`

`gkehub.fleet.createFreeTrial`

`gkehub.fleet.delete`

`gkehub.fleet.get`

`gkehub.fleet.getFreeTrial`

`gkehub.fleet.update`

`gkehub.fleet.updateFreeTrial`

`gkehub.gateway.delete`

`gkehub.gateway.generateCredentials`

`gkehub.gateway.get`

`gkehub.gateway.patch`

`gkehub.gateway.post`

`gkehub.gateway.put`

`gkehub.gateway.stream`

`gkehub.locations.get`

`gkehub.locations.list`

`gkehub.membershipbindings.create`

`gkehub.membershipbindings.delete`

`gkehub.membershipbindings.get`

`gkehub.membershipbindings.list`

`gkehub.membershipbindings.update`

`gkehub.membershipfeatures.create`

`gkehub.membershipfeatures.delete`

`gkehub.membershipfeatures.get`

`gkehub.membershipfeatures.list`

`gkehub.membershipfeatures.update`

`gkehub.memberships.create`

`gkehub.memberships.delete`

`gkehub.memberships.generateConnectManifest`

`gkehub.memberships.get`

`gkehub.memberships.getIamPolicy`

`gkehub.memberships.list`

`gkehub.memberships.setIamPolicy`

`gkehub.memberships.update`

`gkehub.namespaces.create`

`gkehub.namespaces.delete`

`gkehub.namespaces.get`

`gkehub.namespaces.list`

`gkehub.namespaces.update`

`gkehub.operations.cancel`

`gkehub.operations.delete`

`gkehub.operations.get`

`gkehub.operations.list`

`gkehub.rbacrolebindings.create`

`gkehub.rbacrolebindings.delete`

`gkehub.rbacrolebindings.get`

`gkehub.rbacrolebindings.list`

`gkehub.rbacrolebindings.update`

`gkehub.scopes.create`

`gkehub.scopes.delete`

`gkehub.scopes.get`

`gkehub.scopes.getIamPolicy`

`gkehub.scopes.list`

`gkehub.scopes.listBoundMemberships`

`gkehub.scopes.setIamPolicy`

`gkehub.scopes.update`