Skip to main content
API resource reference for Role, part of the IAM service. To create or change one, see Changing resources; to inspect, see Reading resources.
This resource is part of the v1alpha1 API and is subject to change. Fields and behavior may change in future releases.

Identity

Groupiam.miloapis.com
Versionv1alpha1
KindRole
ScopeProject

Overview

A Role is a named collection of permissions that can be granted to users, groups, or machine accounts through an IAM policy. Each permission follows the {service}.{resource}.{action} format (for example, compute.workloads.create). Use a Role to bundle the permissions a person or system needs, then bind that Role in a policy to grant access within a Project. Roles can also inherit permissions from other roles, so you can compose broader roles from narrower ones.

Spec fields

FieldTypeRequiredDescription
spec.launchStagestringYesThe launch stage of the role. One of Early Access, Alpha, Beta, Stable, or Deprecated.
spec.includedPermissions[]stringNoThe names of the permissions this role grants, each in {service}.{resource}.{action} format (e.g., compute.workloads.create).
spec.inheritedRoles[]ObjectNoThe list of roles from which this role inherits permissions.
spec.inheritedRoles[].namestringYesName of the referenced Role.
spec.inheritedRoles[].namespacestringNoNamespace of the referenced Role. Defaults to the namespace of the resource containing this reference.

Status fields (read-only)

FieldTypeDescription
status.effectivePermissions[]stringThe complete flattened list of all permissions granted by this role, including those from inheritedRoles and includedPermissions. Computed by the controller.
status.parentstringThe resource name of the parent the role was created under.
status.conditions[]ObjectConditions representing the current status of the role.
status.observedGenerationintegerThe most recent generation observed by the controller.

Usage

apiVersion: iam.miloapis.com/v1alpha1
kind: Role
metadata:
  name: workload-editor
spec:
  launchStage: Alpha
  includedPermissions:
    - compute.workloads.create
    - compute.workloads.update
    - compute.workloads.get
datumctl apply -f role.yaml --project my-project
datumctl get roles.iam.miloapis.com --project my-project
datumctl describe roles.iam.miloapis.com workload-editor --project my-project
Run datumctl explain roles.iam.miloapis.com --recursive to see the full, live field tree for this resource.
Last modified on July 2, 2026