Required IAM Permissions
Required API Services
Ensure the following Google Cloud Platform (GCP) API services are enabled in your Google Cloud Platform (GCP) project to deploy a host cluster:
tip
If you need help enabling a Google Cloud API service, check out the Enable and disable APIs guide from the official Google Cloud documentation.
Required Permissions
The following snippet defines a custom GCP role with the permissions required by Palette to deploy and manage GCP workload clusters. Refer to the Create a custom role guide for instructions on how to create GCP custom roles.
Last Update: July 28, 2025
{
"title": "Palette Deployment Permissions",
"description": "Permissions required by Palette to deploy and manage GCP clusters",
"stage": "GA",
"includedPermissions": [
"compute.backendServices.create",
"compute.backendServices.delete",
"compute.backendServices.get",
"compute.backendServices.list",
"compute.backendServices.update",
"compute.backendServices.use",
"compute.disks.create",
"compute.disks.setLabels",
"compute.firewalls.create",
"compute.firewalls.delete",
"compute.firewalls.get",
"compute.firewalls.list",
"compute.globalAddresses.create",
"compute.globalAddresses.delete",
"compute.globalAddresses.get",
"compute.globalAddresses.list",
"compute.globalAddresses.use",
"compute.globalForwardingRules.create",
"compute.globalForwardingRules.delete",
"compute.globalForwardingRules.get",
"compute.globalForwardingRules.list",
"compute.globalForwardingRules.setLabels",
"compute.healthChecks.create",
"compute.healthChecks.delete",
"compute.healthChecks.get",
"compute.healthChecks.list",
"compute.healthChecks.useReadOnly",
"compute.instanceGroupManagers.get",
"compute.instanceGroups.create",
"compute.instanceGroups.delete",
"compute.instanceGroups.get",
"compute.instanceGroups.list",
"compute.instanceGroups.update",
"compute.instanceGroups.use",
"compute.instances.create",
"compute.instances.delete",
"compute.instances.get",
"compute.instances.list",
"compute.instances.setLabels",
"compute.instances.setMetadata",
"compute.instances.setServiceAccount",
"compute.instances.setTags",
"compute.instances.use",
"compute.networks.create",
"compute.networks.delete",
"compute.networks.get",
"compute.networks.list",
"compute.networks.updatePolicy",
"compute.regions.get",
"compute.regions.list",
"compute.routers.create",
"compute.routers.delete",
"compute.routers.get",
"compute.routes.delete",
"compute.routes.get",
"compute.routes.list",
"compute.subnetworks.create",
"compute.subnetworks.delete",
"compute.subnetworks.get",
"compute.subnetworks.list",
"compute.subnetworks.use",
"compute.targetTcpProxies.create",
"compute.targetTcpProxies.delete",
"compute.targetTcpProxies.get",
"compute.targetTcpProxies.use",
"compute.zones.get",
"compute.zones.list",
"container.clusters.create",
"container.clusters.delete",
"container.clusters.get",
"container.clusters.list",
"container.clusters.update",
"container.operations.get",
"container.operations.list",
"iam.serviceAccounts.actAs",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getAccessToken",
"iam.serviceAccounts.list",
"orgpolicy.policy.get",
"recommender.containerDiagnosisInsights.get",
"recommender.containerDiagnosisInsights.list",
"recommender.containerDiagnosisInsights.update",
"recommender.containerDiagnosisRecommendations.get",
"recommender.containerDiagnosisRecommendations.list",
"recommender.containerDiagnosisRecommendations.update",
"recommender.locations.get",
"recommender.locations.list",
"recommender.networkAnalyzerGkeConnectivityInsights.get",
"recommender.networkAnalyzerGkeConnectivityInsights.list",
"recommender.networkAnalyzerGkeConnectivityInsights.update",
"recommender.networkAnalyzerGkeIpAddressInsights.get",
"recommender.networkAnalyzerGkeIpAddressInsights.list",
"recommender.networkAnalyzerGkeIpAddressInsights.update",
"resourcemanager.projects.get",
"serviceusage.services.get",
"serviceusage.services.list",
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.list"
]
}