# GCP IAM Permissions

## Setting IAM permissions

The `services` list allows you to specify which Google Cloud APIs should be accessible in the sandbox. See [Google Cloud APIs](https://developers.google.com/apis-explorer) for more information. The `roles` list allows you to specify which Google Cloud IAM roles should be granted to the projects Service and User account. A full list of all the Google Cloud IAM roles can be found here [Understanding Roles](https://cloud.google.com/iam/docs/understanding-roles#predefined).

{% hint style="warning" %}
Only enable a service if it is required for your track to function. You can test this by removing the service and checking whether the track still works.
{% endhint %}

### Examples

#### Add virtual machines (outside of the standard sandbox virtual machines)

You should add `compute.googleapis.com` to the `services` list and `roles/compute.admin` to the `roles` list if your track requires virtual machines outside of the standard sandbox virtual machines.

#### Add a Google Kubernetes Engine (GKE) cluster

If your track needs a GKE cluster, you will also want to add the Kubernetes Engine API `container.googleapis.com` to the `services` list and `roles/container.admin` to the `roles` list.

To set these services:

{% tabs %}
{% tab title="🌐 Web UI" %}
To add virtual machines to your GCP project, enter the following in the **Services** field:

```
compute.googleapis.com
```

And click **Add**.

Then enter the following in the **Roles** field:

```
roles/compute.admin
```

And click **Add**.\
\
To add a GKE cluster to your GCP project, enter the following in the **Assigned Roles** field:

```
container.googleapis.com
```

And click **Add**.

Then enter the following in the **Roles** field:

```
roles/container.admin
```

And click **Add**.
{% endtab %}
{% endtabs %}