You can configure project level access to Earth Engine compute quota or Earth Engine assets associated with a Cloud Project. Google Cloud lets you set permissions to allow access for particular operations. Because multiple permissions are often needed together, they are bundled into convenient roles, such as 'viewer'. See the Google Cloud documentation to learn more about access management, permissions and roles.
This page describes the permissions and roles needed at the project level for some common configurations of projects with multiple users. Note that users who select a Cloud Project from the Code Editor must have sufficient permissions to do so. Removing those permissions at the project level could trigger an error for users who have selected previously selected that project from the Code Editor.
Predefined Earth Engine IAM Roles
Earth Engine provides predefined roles which allow varying degrees of control over Earth Engine resources within a project. These roles are:
Role | Title | Description |
---|---|---|
roles/earthengine.viewer
|
Earth Engine Resource Viewer | Provides permission to view and list Assets and tasks. |
roles/earthengine.writer
|
Earth Engine Resource Writer | Provides permission to read, create, modify and delete assets, import images and tables, read and update tasks, perform interactive computations, and create long running export tasks. |
roles/earthengine.admin
|
Earth Engine Admin | Provides permission for all Earth Engine resources including changing access controls for Earth Engine assets. |
roles/earthengine.appsPublisher
|
Earth Engine Apps Publisher | Provides permission to create a service account for use with an Earth Engine app. Also grants permission to edit and delete Project-owned apps under the Cloud Project. |
Note that you may set a primitive or custom role if the predefined Earth Engine roles do not meet your needs. You can see the bundle of permissions associated with each role from the IAM Roles page by filtering to a specific role and clicking on the role.
Full access to the Earth Engine API
To give users full access to the Earth Engine service, either through the REST API directly, through the Code Editor or through a client library, users will need permission to perform operations like:
- Executing Earth Engine expressions
- Running batch computations (exports)
- Getting interactive results (online maps, thumbnails, charts, etc.)
- Creating/deleting Earth Engine assets
- Using OAuth Authentication via a Client Library to connect to Earth Engine
Permissions needed:
clientauthconfig.clients.listWithSecrets
earthengine.assets.get
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.computations.create
earthengine.operations.get
earthengine.operations.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Suggested roles to grant to users on the project:
- Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer
)
AND one of
- Earth Engine Resource Viewer (
roles/earthengine.viewer
) OR - Earth Engine Resource Writer (
roles/earthengine.writer
) OR - Earth Engine Resource Admin (
roles/earthengine.admin
) -
OAuth Config Editor (
roles/oauthconfig.editor
) is additionally required for users who access Earth Engine through a notebook environment and use the Notebook Authenticator. See Colab or JupyterLab notebook authentication for more details.
Google Cloud requires the Service Usage Consumer role to use the project as the active project
when calling APIs, and ee.Initialize(project=X)
will fail without this permission
on project X. Additionally you can then select this project in the Cloud Console to
display your use of resources.
Asset sharing only
Grant the user one of the Predefined Earth Engine IAM Roles with minimal permissions to perform the needed activity. Note that users will not be able to consume project resources without necessaryserviceusage
permissions.
Project management
List and display available projects
This happens when using the Code Editor to browse available projects.
Permissions needed:
resourcemanager.projects.get
resourcemanager.folders.list
resourcemanager.folders.get
resourcemanager.organizations.get
(uncommon)
Suggested roles:
-
Viewer (
roles/viewer
) OR Earth Engine Resource Viewer (roles/earthengine.viewer
) on relevant projects OR Browser (roles/browser
, recommended for advanced organization cases) - Folder Viewer (
roles/resourcemanager.folderViewer
) on relevant folders
Select a project for use in the Code Editor
Permissions needed:
resourcemanager.projects.get
serviceusage.services.get
If project has not previously been set up
On first selecting a project through the Code Editor, the project is initialized for use with Earth Engine. If this hasn't been done before, you will need these roles for setup to succeed.
resourcemanager.projects.update
ANDserviceusage.services.enable
Suggested roles:
- Viewer (
roles/viewer
) OR -
Earth Engine Resource Viewer (
roles/earthengine.viewer
) AND Service Usage Consumer (roles/serviceusage.serviceUsageConsumer
)
Additional roles (if project has not previously been set up)
- Editor (
roles/editor
) OR -
Project Mover (
roles/resourcemanager.projectMover
) AND Project IAM Admin (roles/resourcemanager.projectIamAdmin
) AND Service Usage Admin (roles/serviceusage.serviceUsageAdmin
)
Create project through the Code Editor
Permissions needed:
resourcemanager.projects.get
resourcemanager.projects.create
resourcemanager.projects.update
serviceusage.services.get
serviceusage.services.enable
Suggested roles:
- Editor (
roles/editor
) OR -
Project Mover (
roles/resourcemanager.projectMover
) AND Project Creator (roles/resourcemanager.projectCreator
) AND Service Usage Admin (roles/serviceusage.serviceUsageAdmin
)
Your organization may not grant you the Editor role, so the finer-grained roles may be needed.
Project Mover is needed to cover the projects.update
permission.
Commercial Project Registration
The following permissions pertain to registering projects for paid use.
Permissions needed on the billing account:
If the billing account already has an Earth Engine plan, then no billing account permissions are needed. Otherwise:billing.accounts.get
(for creating a new Limited plan)-
billing.subscriptions.create
(for creating a new Basic or Professional plan)
Permissions needed on the Cloud project:
earthengine.computations.create
earthengine.config.update
serviceusage.services.get
serviceusage.services.enable
Suggested predefined roles on the billing account:
If the billing account already has an Earth Engine plan, then no billing account roles are needed. Otherwise:-
Billing Account User (
roles/billing.user
), for creating a new Limited plan -
Billing Account Administrator (
roles/billing.admin
), for creating a new Basic or Professional plan
Suggested predefined roles on the Cloud project:
- Earth Engine Resource Writer (
roles/earthengine.writer
) - Service Usage Admin (
roles/serviceusage.serviceUsageAdmin
)
Commercial Earth Engine plan management
The following permissions pertain to managing Earth Engine pricing plans.
Permissions needed on the billing account:
billing.subscriptions.create
(to change an Earth Engine plan)billing.subscriptions.list
(to view the current Earth Engine plan)
Suggested predefined roles on the billing account:
-
Billing Account Viewer (
roles/billing.viewer
), to view the current Earth Engine plan -
Billing Account Administrator (
roles/billing.admin
), to change an Earth Engine plan
Batch task management
The following permissions pertain to configuring per-project limits on batch task concurrency. This feature is only available for commercial users of Earth Engine.
Viewing project-level batch task limits
Permissions needed on the Cloud project:
earthengine.config.get
Setting project-level batch task limits
This permission also encompasses viewing the plan-level limits that are configured on the billing account.Permissions needed on the Cloud project:
earthengine.config.update
Permissions needed on the billing account:
billing.subscriptions.list
Apps management
Display app info
Permissions needed:
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
, if app is restricted (less common)
Suggested roles:
- Viewer (
roles/viewer
) OR - Earth Engine Apps Publisher (
roles/earthengine.appsPublisher
)
Publish/Update app
Permissions needed:
iam.serviceAccounts.get
iam.serviceAccounts.create
iam.serviceAccounts.enable
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy
-
iam.serviceAccounts.disable
, if app is moved from one project to another (uncommon)
Suggested roles:
- Earth Engine Apps Publisher (
roles/earthengine.appsPublisher
) OR - Service Account Admin (
roles/iam.serviceAccountAdmin
)
In addition, Earth Engine App service accounts identify themselves to the Earth Engine servers
by presenting an OAuth access token. Therefore, certain identities are added during app
creation as Service Account Token Creator (roles/iam.serviceAccountTokenCreator
)
on the service accounts.
In the case of a public Earth Engine App, the identity granted that role is
earth-engine-public-apps@appspot.gserviceaccount.com
and in the case of
restricted apps the identity is the Access Restriction Google Group configured by the app
creator.
Delete an app
Permissions needed:
iam.serviceAccounts.disable
Suggested roles:
- Earth Engine Apps Publisher (
roles/earthengine.appsPublisher
) OR - Service Account Admin (
roles/iam.serviceAccountAdmin
)