API Reference

Groups

Role Assignments

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

CreateRoleAssignment

POST/gitpod.v1.GroupService/CreateRoleAssignment

Creates a role assignment for a group on a resource.

Use this method to:

• Assign specific roles to groups on runners, projects, or environments
• Grant group-based access to resources

Examples

• Assign admin role on a runner:

  Grants the group admin access to a runner.

  groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
  resourceType: RESOURCE_TYPE_RUNNER
  resourceId: "f53d2330-3795-4c5d-a1f3-453121af9c60"
  resourceRole: RESOURCE_ROLE_RUNNER_ADMIN

• Assign user role on a project:

  Grants the group user access to a project.

  groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
  resourceType: RESOURCE_TYPE_PROJECT
  resourceId: "a1b2c3d4-5678-90ab-cdef-1234567890ab"
  resourceRole: RESOURCE_ROLE_PROJECT_USER

Authorization

Requires admin role on the specific resource.

Body ParametersJSONExpand Collapse

groupId: optional string

formatuuid

resourceId: optional string

formatuuid

resourceRole: optional ResourceRole

ResourceRole represents roles that can be assigned to groups on resources These map directly to the roles defined in backend/db/rule/rbac/role/role.go

One of the following:

"RESOURCE_ROLE_UNSPECIFIED"

"RESOURCE_ROLE_ORG_ADMIN"

"RESOURCE_ROLE_ORG_MEMBER"

"RESOURCE_ROLE_ORG_RUNNERS_ADMIN"

"RESOURCE_ROLE_ORG_PROJECTS_ADMIN"

"RESOURCE_ROLE_ORG_AUTOMATIONS_ADMIN"

"RESOURCE_ROLE_ORG_GROUPS_ADMIN"

"RESOURCE_ROLE_ORG_AUDIT_LOG_READER"

"RESOURCE_ROLE_GROUP_ADMIN"

"RESOURCE_ROLE_GROUP_VIEWER"

"RESOURCE_ROLE_USER_IDENTITY"

"RESOURCE_ROLE_USER_VIEWER"

"RESOURCE_ROLE_USER_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_IDENTITY"

"RESOURCE_ROLE_ENVIRONMENT_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_USER"

"RESOURCE_ROLE_ENVIRONMENT_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_RUNNER"

"RESOURCE_ROLE_RUNNER_IDENTITY"

"RESOURCE_ROLE_RUNNER_ADMIN"

"RESOURCE_ROLE_RUNNER_LOCAL_ADMIN"

"RESOURCE_ROLE_RUNNER_MANAGED_ADMIN"

"RESOURCE_ROLE_RUNNER_USER"

"RESOURCE_ROLE_RUNNER_CONFIGURATION_READER"

"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_ADMIN"

"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_UPDATER"

"RESOURCE_ROLE_PROJECT_ADMIN"

"RESOURCE_ROLE_PROJECT_USER"

"RESOURCE_ROLE_PROJECT_EDITOR"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_USER"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ENV"

"RESOURCE_ROLE_ENVIRONMENT_TASK_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_TASK_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_TASK_USER"

"RESOURCE_ROLE_ENVIRONMENT_TASK_ENV"

"RESOURCE_ROLE_SERVICE_ACCOUNT_IDENTITY"

"RESOURCE_ROLE_SERVICE_ACCOUNT_ADMIN"

"RESOURCE_ROLE_AGENT_EXECUTION_USER"

"RESOURCE_ROLE_AGENT_EXECUTION_ADMIN"

"RESOURCE_ROLE_AGENT_EXECUTION_RUNNER"

"RESOURCE_ROLE_AGENT_EXECUTION_OUTPUTS_REPORTER"

"RESOURCE_ROLE_AGENT_EXECUTION_VIEWER"

"RESOURCE_ROLE_AGENT_ADMIN"

"RESOURCE_ROLE_AGENT_VIEWER"

"RESOURCE_ROLE_AGENT_EXECUTOR"

"RESOURCE_ROLE_WORKFLOW_ADMIN"

"RESOURCE_ROLE_WORKFLOW_USER"

"RESOURCE_ROLE_WORKFLOW_VIEWER"

"RESOURCE_ROLE_WORKFLOW_EXECUTOR"

"RESOURCE_ROLE_SNAPSHOT_ADMIN"

"RESOURCE_ROLE_SNAPSHOT_RUNNER"

"RESOURCE_ROLE_WEBHOOK_ADMIN"

"RESOURCE_ROLE_WEBHOOK_VIEWER"

"RESOURCE_ROLE_WARMPOOL_RUNNER"

"RESOURCE_ROLE_WARMPOOL_ADMIN"

"RESOURCE_ROLE_WARMPOOL_VIEWER"

"RESOURCE_ROLE_SESSION_ADMIN"

"RESOURCE_ROLE_SESSION_USER"

"RESOURCE_ROLE_TEAM_ADMIN"

"RESOURCE_ROLE_TEAM_VIEWER"

resourceType: optional ResourceType

One of the following:

"RESOURCE_TYPE_UNSPECIFIED"

"RESOURCE_TYPE_ENVIRONMENT"

"RESOURCE_TYPE_RUNNER"

"RESOURCE_TYPE_PROJECT"

"RESOURCE_TYPE_TASK"

"RESOURCE_TYPE_TASK_EXECUTION"

"RESOURCE_TYPE_SERVICE"

"RESOURCE_TYPE_ORGANIZATION"

"RESOURCE_TYPE_USER"

"RESOURCE_TYPE_ENVIRONMENT_CLASS"

"RESOURCE_TYPE_RUNNER_SCM_INTEGRATION"

"RESOURCE_TYPE_HOST_AUTHENTICATION_TOKEN"

"RESOURCE_TYPE_GROUP"

"RESOURCE_TYPE_PERSONAL_ACCESS_TOKEN"

"RESOURCE_TYPE_USER_PREFERENCE"

"RESOURCE_TYPE_SERVICE_ACCOUNT"

"RESOURCE_TYPE_SECRET"

"RESOURCE_TYPE_SSO_CONFIG"

"RESOURCE_TYPE_DOMAIN_VERIFICATION"

"RESOURCE_TYPE_AGENT_EXECUTION"

"RESOURCE_TYPE_RUNNER_LLM_INTEGRATION"

"RESOURCE_TYPE_AGENT"

"RESOURCE_TYPE_ENVIRONMENT_SESSION"

"RESOURCE_TYPE_USER_SECRET"

"RESOURCE_TYPE_ORGANIZATION_POLICY"

"RESOURCE_TYPE_ORGANIZATION_SECRET"

"RESOURCE_TYPE_PROJECT_ENVIRONMENT_CLASS"

"RESOURCE_TYPE_BILLING"

"RESOURCE_TYPE_PROMPT"

"RESOURCE_TYPE_COUPON"

"RESOURCE_TYPE_COUPON_REDEMPTION"

"RESOURCE_TYPE_ACCOUNT"

"RESOURCE_TYPE_INTEGRATION"

"RESOURCE_TYPE_WORKFLOW"

"RESOURCE_TYPE_WORKFLOW_EXECUTION"

"RESOURCE_TYPE_WORKFLOW_EXECUTION_ACTION"

"RESOURCE_TYPE_SNAPSHOT"

"RESOURCE_TYPE_PREBUILD"

"RESOURCE_TYPE_ORGANIZATION_LLM_INTEGRATION"

"RESOURCE_TYPE_CUSTOM_DOMAIN"

"RESOURCE_TYPE_ROLE_ASSIGNMENT_CHANGED"

"RESOURCE_TYPE_GROUP_MEMBERSHIP_CHANGED"

"RESOURCE_TYPE_WEBHOOK"

"RESOURCE_TYPE_SCIM_CONFIGURATION"

"RESOURCE_TYPE_SERVICE_ACCOUNT_SECRET"

"RESOURCE_TYPE_ANNOUNCEMENT_BANNER"

"RESOURCE_TYPE_SERVICE_ACCOUNT_TOKEN"

"RESOURCE_TYPE_ROLE_ASSIGNMENT"

"RESOURCE_TYPE_WARM_POOL"

"RESOURCE_TYPE_NOTIFICATION"

ReturnsExpand Collapse

assignment: optional RoleAssignment { id, derivedFromOrgRole, groupId, 4 more }

RoleAssignment represents a role assigned to a group on a specific resource

id: optional string

Unique identifier for the role assignment

formatuuid

derivedFromOrgRole: optional ResourceRole

The org-level role that created this assignment, if any. RESOURCE_ROLE_UNSPECIFIED means this is a direct share (manually created). Non-zero (e.g., ORG_PROJECTS_ADMIN, ORG_RUNNERS_ADMIN) means this assignment was derived from an org-level role.

One of the following:

"RESOURCE_ROLE_UNSPECIFIED"

"RESOURCE_ROLE_ORG_ADMIN"

"RESOURCE_ROLE_ORG_MEMBER"

"RESOURCE_ROLE_ORG_RUNNERS_ADMIN"

"RESOURCE_ROLE_ORG_PROJECTS_ADMIN"

"RESOURCE_ROLE_ORG_AUTOMATIONS_ADMIN"

"RESOURCE_ROLE_ORG_GROUPS_ADMIN"

"RESOURCE_ROLE_ORG_AUDIT_LOG_READER"

"RESOURCE_ROLE_GROUP_ADMIN"

"RESOURCE_ROLE_GROUP_VIEWER"

"RESOURCE_ROLE_USER_IDENTITY"

"RESOURCE_ROLE_USER_VIEWER"

"RESOURCE_ROLE_USER_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_IDENTITY"

"RESOURCE_ROLE_ENVIRONMENT_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_USER"

"RESOURCE_ROLE_ENVIRONMENT_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_RUNNER"

"RESOURCE_ROLE_RUNNER_IDENTITY"

"RESOURCE_ROLE_RUNNER_ADMIN"

"RESOURCE_ROLE_RUNNER_LOCAL_ADMIN"

"RESOURCE_ROLE_RUNNER_MANAGED_ADMIN"

"RESOURCE_ROLE_RUNNER_USER"

"RESOURCE_ROLE_RUNNER_CONFIGURATION_READER"

"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_ADMIN"

"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_UPDATER"

"RESOURCE_ROLE_PROJECT_ADMIN"

"RESOURCE_ROLE_PROJECT_USER"

"RESOURCE_ROLE_PROJECT_EDITOR"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_USER"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ENV"

"RESOURCE_ROLE_ENVIRONMENT_TASK_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_TASK_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_TASK_USER"

"RESOURCE_ROLE_ENVIRONMENT_TASK_ENV"

"RESOURCE_ROLE_SERVICE_ACCOUNT_IDENTITY"

"RESOURCE_ROLE_SERVICE_ACCOUNT_ADMIN"

"RESOURCE_ROLE_AGENT_EXECUTION_USER"

"RESOURCE_ROLE_AGENT_EXECUTION_ADMIN"

"RESOURCE_ROLE_AGENT_EXECUTION_RUNNER"

"RESOURCE_ROLE_AGENT_EXECUTION_OUTPUTS_REPORTER"

"RESOURCE_ROLE_AGENT_EXECUTION_VIEWER"

"RESOURCE_ROLE_AGENT_ADMIN"

"RESOURCE_ROLE_AGENT_VIEWER"

"RESOURCE_ROLE_AGENT_EXECUTOR"

"RESOURCE_ROLE_WORKFLOW_ADMIN"

"RESOURCE_ROLE_WORKFLOW_USER"

"RESOURCE_ROLE_WORKFLOW_VIEWER"

"RESOURCE_ROLE_WORKFLOW_EXECUTOR"

"RESOURCE_ROLE_SNAPSHOT_ADMIN"

"RESOURCE_ROLE_SNAPSHOT_RUNNER"

"RESOURCE_ROLE_WEBHOOK_ADMIN"

"RESOURCE_ROLE_WEBHOOK_VIEWER"

"RESOURCE_ROLE_WARMPOOL_RUNNER"

"RESOURCE_ROLE_WARMPOOL_ADMIN"

"RESOURCE_ROLE_WARMPOOL_VIEWER"

"RESOURCE_ROLE_SESSION_ADMIN"

"RESOURCE_ROLE_SESSION_USER"

"RESOURCE_ROLE_TEAM_ADMIN"

"RESOURCE_ROLE_TEAM_VIEWER"

groupId: optional string

Group identifier

formatuuid

organizationId: optional string

Organization identifier

formatuuid

resourceId: optional string

Resource identifier

formatuuid

resourceRole: optional ResourceRole

Role assigned to the group on this resource

One of the following:

"RESOURCE_ROLE_UNSPECIFIED"

"RESOURCE_ROLE_ORG_ADMIN"

"RESOURCE_ROLE_ORG_MEMBER"

"RESOURCE_ROLE_ORG_RUNNERS_ADMIN"

"RESOURCE_ROLE_ORG_PROJECTS_ADMIN"

"RESOURCE_ROLE_ORG_AUTOMATIONS_ADMIN"

"RESOURCE_ROLE_ORG_GROUPS_ADMIN"

"RESOURCE_ROLE_ORG_AUDIT_LOG_READER"

"RESOURCE_ROLE_GROUP_ADMIN"

"RESOURCE_ROLE_GROUP_VIEWER"

"RESOURCE_ROLE_USER_IDENTITY"

"RESOURCE_ROLE_USER_VIEWER"

"RESOURCE_ROLE_USER_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_IDENTITY"

"RESOURCE_ROLE_ENVIRONMENT_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_USER"

"RESOURCE_ROLE_ENVIRONMENT_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_RUNNER"

"RESOURCE_ROLE_RUNNER_IDENTITY"

"RESOURCE_ROLE_RUNNER_ADMIN"

"RESOURCE_ROLE_RUNNER_LOCAL_ADMIN"

"RESOURCE_ROLE_RUNNER_MANAGED_ADMIN"

"RESOURCE_ROLE_RUNNER_USER"

"RESOURCE_ROLE_RUNNER_CONFIGURATION_READER"

"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_ADMIN"

"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_UPDATER"

"RESOURCE_ROLE_PROJECT_ADMIN"

"RESOURCE_ROLE_PROJECT_USER"

"RESOURCE_ROLE_PROJECT_EDITOR"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_USER"

"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ENV"

"RESOURCE_ROLE_ENVIRONMENT_TASK_ADMIN"

"RESOURCE_ROLE_ENVIRONMENT_TASK_VIEWER"

"RESOURCE_ROLE_ENVIRONMENT_TASK_USER"

"RESOURCE_ROLE_ENVIRONMENT_TASK_ENV"

"RESOURCE_ROLE_SERVICE_ACCOUNT_IDENTITY"

"RESOURCE_ROLE_SERVICE_ACCOUNT_ADMIN"

"RESOURCE_ROLE_AGENT_EXECUTION_USER"

"RESOURCE_ROLE_AGENT_EXECUTION_ADMIN"

"RESOURCE_ROLE_AGENT_EXECUTION_RUNNER"

"RESOURCE_ROLE_AGENT_EXECUTION_OUTPUTS_REPORTER"

"RESOURCE_ROLE_AGENT_EXECUTION_VIEWER"

"RESOURCE_ROLE_AGENT_ADMIN"

"RESOURCE_ROLE_AGENT_VIEWER"

"RESOURCE_ROLE_AGENT_EXECUTOR"

"RESOURCE_ROLE_WORKFLOW_ADMIN"

"RESOURCE_ROLE_WORKFLOW_USER"

"RESOURCE_ROLE_WORKFLOW_VIEWER"

"RESOURCE_ROLE_WORKFLOW_EXECUTOR"

"RESOURCE_ROLE_SNAPSHOT_ADMIN"

"RESOURCE_ROLE_SNAPSHOT_RUNNER"

"RESOURCE_ROLE_WEBHOOK_ADMIN"

"RESOURCE_ROLE_WEBHOOK_VIEWER"

"RESOURCE_ROLE_WARMPOOL_RUNNER"

"RESOURCE_ROLE_WARMPOOL_ADMIN"

"RESOURCE_ROLE_WARMPOOL_VIEWER"

"RESOURCE_ROLE_SESSION_ADMIN"

"RESOURCE_ROLE_SESSION_USER"

"RESOURCE_ROLE_TEAM_ADMIN"

"RESOURCE_ROLE_TEAM_VIEWER"

resourceType: optional ResourceType

Type of resource (runner, project, environment, etc.)

One of the following:

"RESOURCE_TYPE_UNSPECIFIED"

"RESOURCE_TYPE_ENVIRONMENT"

"RESOURCE_TYPE_RUNNER"

"RESOURCE_TYPE_PROJECT"

"RESOURCE_TYPE_TASK"

"RESOURCE_TYPE_TASK_EXECUTION"

"RESOURCE_TYPE_SERVICE"

"RESOURCE_TYPE_ORGANIZATION"

"RESOURCE_TYPE_USER"

"RESOURCE_TYPE_ENVIRONMENT_CLASS"

"RESOURCE_TYPE_RUNNER_SCM_INTEGRATION"

"RESOURCE_TYPE_HOST_AUTHENTICATION_TOKEN"

"RESOURCE_TYPE_GROUP"

"RESOURCE_TYPE_PERSONAL_ACCESS_TOKEN"

"RESOURCE_TYPE_USER_PREFERENCE"

"RESOURCE_TYPE_SERVICE_ACCOUNT"

"RESOURCE_TYPE_SECRET"

"RESOURCE_TYPE_SSO_CONFIG"

"RESOURCE_TYPE_DOMAIN_VERIFICATION"

"RESOURCE_TYPE_AGENT_EXECUTION"

"RESOURCE_TYPE_RUNNER_LLM_INTEGRATION"

"RESOURCE_TYPE_AGENT"

"RESOURCE_TYPE_ENVIRONMENT_SESSION"

"RESOURCE_TYPE_USER_SECRET"

"RESOURCE_TYPE_ORGANIZATION_POLICY"

"RESOURCE_TYPE_ORGANIZATION_SECRET"

"RESOURCE_TYPE_PROJECT_ENVIRONMENT_CLASS"

"RESOURCE_TYPE_BILLING"

"RESOURCE_TYPE_PROMPT"

"RESOURCE_TYPE_COUPON"

"RESOURCE_TYPE_COUPON_REDEMPTION"

"RESOURCE_TYPE_ACCOUNT"

"RESOURCE_TYPE_INTEGRATION"

"RESOURCE_TYPE_WORKFLOW"

"RESOURCE_TYPE_WORKFLOW_EXECUTION"

"RESOURCE_TYPE_WORKFLOW_EXECUTION_ACTION"

"RESOURCE_TYPE_SNAPSHOT"

"RESOURCE_TYPE_PREBUILD"

"RESOURCE_TYPE_ORGANIZATION_LLM_INTEGRATION"

"RESOURCE_TYPE_CUSTOM_DOMAIN"

"RESOURCE_TYPE_ROLE_ASSIGNMENT_CHANGED"

"RESOURCE_TYPE_GROUP_MEMBERSHIP_CHANGED"

"RESOURCE_TYPE_WEBHOOK"

"RESOURCE_TYPE_SCIM_CONFIGURATION"

"RESOURCE_TYPE_SERVICE_ACCOUNT_SECRET"

"RESOURCE_TYPE_ANNOUNCEMENT_BANNER"

"RESOURCE_TYPE_SERVICE_ACCOUNT_TOKEN"

"RESOURCE_TYPE_ROLE_ASSIGNMENT"

"RESOURCE_TYPE_WARM_POOL"

"RESOURCE_TYPE_NOTIFICATION"

CreateRoleAssignment

HTTP

HTTP

TypeScript

Python

Go

curl https://app.gitpod.io/api/gitpod.v1.GroupService/CreateRoleAssignment \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $GITPOD_API_KEY" \
    -d '{}'

200 example

{
  "assignment": {
    "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "derivedFromOrgRole": "RESOURCE_ROLE_UNSPECIFIED",
    "groupId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "resourceId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "resourceRole": "RESOURCE_ROLE_UNSPECIFIED",
    "resourceType": "RESOURCE_TYPE_UNSPECIFIED"
  }
}

Returns Examples

200 example

{
  "assignment": {
    "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "derivedFromOrgRole": "RESOURCE_ROLE_UNSPECIFIED",
    "groupId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "resourceId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "resourceRole": "RESOURCE_ROLE_UNSPECIFIED",
    "resourceType": "RESOURCE_TYPE_UNSPECIFIED"
  }
}