VMware Cloud Well-Architected Framework- Identity and Access Management Services for Google Cloud VMware Engine

Identity & Access Management

Identity and Access Management (IAM) for Google Cloud VMware Engine follows the same principle of least privilege as any private or public cloud environment. Any user, process, or program should only be given permissions and privileges that are essential to performing its intended function.

In Google Cloud VMware Engine, a user is given access to VMware Engine resources by being given a specific IAM role through an IAM policy. A user may be given one or more IAM roles. Each IAM role contains a set of permissions that allow its member to interact with certain VMware Engine resources.  Google Cloud VMware engine IAM roles are assigned as part of the native Google Cloud Platform UI.

Types of Roles

There are three types of IAM roles in Google Cloud VMware Engine:

  1. Basic role: There are three roles that fall under this type – Owner, Editor, and Viewer. These roles are also known as “primitive roles” because they existed in Google Cloud prior to IAM. Basic roles are not recommended in production environments as they include thousands of permissions across various Google Cloud resources.
  2. Predefined role: There are hundreds of predefined roles that give granular access to certain Google Cloud resources. Predefined roles are created and maintained by Google, and they are designed to support common use cases. A Google Cloud service called Recommender generates role recommendations to help organizations quickly navigate between various predefined roles.
  3. Custom role: Organizations can choose to create custom roles to truly enforce the principle of least privilege since they can provide granular permissions with custom roles. However, some IAM permissions are not supported in custom roles so organizations should check the Google Cloud documentation on support level for permissions in custom roles before building custom roles.

Access to the Google Cloud VMware Engine portal is given by roles and these roles are applied to the Google Cloud VMware Engine resources at the project level. Therefore, different roles cannot be given per individual private cloud if a project contains multiple private clouds.

When creating an SDDC, Google provides 5 vSphere solution users. There are also pre-defined solution user roles for certain supported solutions, such as VMware Site Recovery Manager (SRM), VMware Aria Automation, Zerto, and Veeam. These solution user roles are given elevated privileges in vCenter required for solution installations. The elevated privileges are valid for up to 24 hours.


There are permissions specific to Google Cloud VMware Engine:

  • vmwareengine.googleapis.com/services.view – this permission provides read access to Google Cloud VMware Engine portal and resources.
  • vmwareengine.googleapis.com/services.use – this permission provides admin access to Google Cloud VMware Engine portal and resources.

There are also roles specific to Google Cloud VMware Engine:

  • VMware Engine Service Viewer – this role has read access to Google Cloud VMware Engine portal and resources.
  • VMware Engine Service Admin – this role has admin access to Google Cloud VMware Engine portal and resources.


Filter Tags