Roles and Permissions

You can configure project level access to Earth Engine assets stored under a Cloud Project or Earth Engine compute quota. Google Cloud lets you set up permissions to allow access for particular operations. Because multiple permissions are often needed together, they are bundled into convenient roles, such as 'viewer'. See the Google Cloud documentation to learn more about access management, permissions and roles. There are Earth Engine roles that bundle permissions for common Earth Engine use cases. Learn more about Earth Engine roles on the Access Control page.

This page describes the permissions and roles needed at the project level for some common configurations of projects with multiple users. Note that users who select a Cloud Project from the Code Editor must have sufficient permissions to do so. Removing those permissions at the project level could trigger an error for users who have selected the project from the Code Editor.

Interacting with the Earth Engine API

To give users access to the Earth Engine REST API directly, through the Code Editor or through a client library, including operations like:

  • Executing Earth Engine expressions
  • Running batch computations (exports)
  • Getting interactive results (online maps, thumbnails, charts, etc.)
  • Creating/deleting Earth Engine assets

Suggested roles to grant to users on the project:

  • Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) AND one of
    • Earth Engine Resource Viewer (roles/earthengine.viewer) OR
    • Earth Engine Resource Writer (roles/earthengine.writer) OR
    • Earth Engine Resource Admin (roles/earthengine.admin)

Google Cloud requires the Service Usage role to display your use of resources in the Cloud Console.

Project management

List and display available projects

This happens when using the Code Editor to browse available projects.

Permissions needed:

  • resourcemanager.projects.get
  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.get (uncommon)

Suggested roles:

  • Viewer (roles/viewer) OR Earth Engine Resource Viewer (roles/earthengine.viewer) on relevant projects OR Browser (roles/browser, recommended for advanced organization cases)
  • Folder Viewer (roles/resourcemanager.folderViewer) on relevant folders

Select a project for use in the Code Editor

Permissions needed:

  • resourcemanager.projects.get
  • serviceusage.services.get
If project has not previously been set up

On first selecting a project through the Code Editor, the project is initialized for use with Earth Engine. If this hasn't been done before, you will need these roles for setup to succeed.

  • resourcemanager.projects.update AND
  • serviceusage.services.enable

Suggested roles:

  • Viewer (roles/viewer) OR
  • Earth Engine Resource Viewer (roles/earthengine.viewer) AND Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)
Additional roles (if project has not previously been set up)
  • Editor (roles/editor) OR
  • Project Mover (roles/resourcemanager.projectMover) AND Project IAM Admin (roles/resourcemanager.projectIamAdmin) AND Service Usage Admin (roles/serviceusage.serviceUsageAdmin)

Create project through the Code Editor

Permissions needed:

  • resourcemanager.projects.get
  • resourcemanager.projects.create
  • resourcemanager.projects.update
  • serviceusage.services.get
  • serviceusage.services.enable

Suggested roles:

  • Editor (roles/editor) OR
  • Project Mover (roles/resourcemanager.projectMover) AND Project Creator (roles/resourcemanager.projectCreator) AND Service Usage Admin (roles/serviceusage.serviceUsageAdmin)

Your organization may not grant you the Editor role, so the finer-grained roles may be needed. Project Mover is needed to cover the projects.update permission.

Apps management

Display app info

Permissions needed:

  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy, if app is restricted (less common)

Suggested roles:

  • Viewer (roles/viewer) OR
  • Earth Engine Apps Publisher (roles/earthengine.appsPublisher)

Publish/Update app

Permissions needed:

  • iam.serviceAccounts.get
  • iam.serviceAccounts.create
  • iam.serviceAccounts.enable
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.disable, if app is moved from one project to another (uncommon)

Suggested roles:

  • Earth Engine Apps Publisher (roles/earthengine.appsPublisher) OR
  • Service Account Admin (roles/iam.serviceAccountAdmin)

In addition, Earth Engine App service accounts identify themselves to the Earth Engine servers by presenting an OAuth access token. Therefore, certain identities are added during app creation as Service Account Token Creator (roles/iam.serviceAccountTokenCreator) on the service accounts.

In the case of a public Earth Engine App, the identity granted that role is earth-engine-public-apps@appspot.gserviceaccount.com and in the case of restricted apps the identity is the Access Restriction Google Group configured by the app creator.

Delete an app

Permissions needed:

  • iam.serviceAccounts.disable

Suggested roles:

  • Earth Engine Apps Publisher (roles/earthengine.appsPublisher) OR
  • Service Account Admin (roles/iam.serviceAccountAdmin)