Configure roles

This document provides information on Identity and Access Management (IAM) roles and permissions for Route Optimization. IAM lets you grant granular access to specific Route Optimization resources and helps prevent access to other resources. IAM lets you apply the security principle of least privilege, which states that no one should have more permissions than they actually need.

When a principal (a user, group, or service account) calls a Google Cloud API, that principal must have the appropriate IAM permissions to use the resource. To give a principal the required permissions, you grant an IAM role to the principal.

To familiarize yourself with managing access in Google Cloud in general, see IAM overview.

The predefined IAM roles to allow principals to access Route Optimization are:

  • Route Optimization Editor (roles/routeoptimization.editor): grants the user or services account read and write access to Route Optimization resources in the project. This includes the ability to call OptimizeTours and BatchOptimizeTours, as well as to retrieve long running operations using GetOperation.
  • Route Optimization Viewer (roles/routeoptimization.viewer): grants read-only access to Route Optimization resources in the project. This role enables the ability to call OptimizeTours and access to Long Running Operations using GetOperation.
You can assign a role by creating binding for a principal using the Cloud SDK:
gcloud projects add-iam-policy-binding PROJECT \
  --member \
  --role roles/routeoptimization.editor

For more information, see Grant an IAM role by using the Google Cloud console.

What's next

After configuring roles, you must create an OAuth token:

Use OAuth