# Built-in Roles and Capabilities Reference

URL: https://edu.chainguard.dev/chainguard/administration/iam-organizations/roles-role-bindings/capabilities-reference.md
Last Modified: April 13, 2026
Tags: IAM, Reference, Product

A resource documenting the capabilities and permissions of Chainguard's built-in IAM roles.

Chainguard provides customers with a set of built-in roles as part of its Identity and Access Management (IAM) system. These roles have different permissions and capabilities that allow them to serve specialized purposes, from general administrative access to access for specific resources like registries, APK packages, and programming language libraries.
This reference provides an overview of all Chainguard IAM capabilities and shows which built-in roles include each capability. Each capability represents a specific permission or action that can be performed within the Chainguard platform.
For more information on roles and role-bindings within Chainguard’s IAM model, please refer to our Overview of Roles and Role-bindings.
Built-in Roles Summary This guide outlines the built-in Chainguard IAM roles available to most customer organizations. You can find more info about specific roles in your organization with the following chainctl command:
chainctl iam roles listEvery role has at least one of four capabilities (create, list, update, delete) in relation to at least one Chainguard resource. For example, the owner role can create, delete, list, and update custom roles within Chainguard, while the viewer role can only list them.
This guide outlines the following built-in roles provided by Chainguard:
Administrative Roles: owner - Full administrative access with all capabilities editor - Limited administrative access with mostly read permissions and event management viewer - Read-only access across all resources and can pull images limited_owner - Read access across all resources with ability to create identities and role bindings, and pull images console_viewer - Read-only access across all resources and cannot pull images, without blob access or the ability to manage event subscriptions Registry and Container Roles: registry.pull - Container image access registry.pull_token_creator - Chainguard registry token management with additional repository capabilities apk.pull - Access to the organization’s APK packages, including the private APK repository Library Roles: libraries.java.pull - Java library access libraries.java.pull_token_creator - Java token management libraries.python.pull - Python library access libraries.python.pull_token_creator - Python library token management libraries.javascript.pull - JavaScript library access libraries.javascript.pull_token_creator - JavaScript library token management The administrative roles are useful for user profiles that require broad, but clearly defined capabilities. The registry, container, and library roles have limited permissions, allowing them to manage only one specific Chainguard resource. These specialized, resource-specific roles grant minimal required access.
For example, the apk.pull role only grants list access for APK packages and groups. This means identities with this role can pull the organization’s APK packages and retrieve information about the organization, but won’t have general access to the organization’s Chainguard registry resources.
Chainguard Role Capabilities The following table maps Chainguard resources to the built-in roles that have permissions for them. Each row represents a specific resource type (like apk, repo, identity, etc.), describes its purpose, and lists which built-in roles have what capabilities (create, delete, list, update) for that resource.
Resource Purpose Roles with access to this resource account_associations Link cloud provider accounts to organization owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list) apk Manage APK packages in the registry owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull_token_creator (list)apk.pull (list) apk.blobs Download APK package binary content owner (get)editor (get)viewer (get)limited_owner (get) build_report Access detailed build and scan reports for images and packages owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list) group_invites Send and manage invitations to join Chainguard organization owner (create, delete, list)editor (list)viewer (list)limited_owner (list)console_viewer (list) groups Manage organization and hierarchical structures owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull_token_creator (list)libraries.java.pull_token_creator (list)libraries.python.pull_token_creator (list)libraries.javascript.pull_token_creator (list) identity Create and manage user identities, service accounts, and pull tokens owner (create, delete, list, update)editor (list)viewer (list)limited_owner (create, list)console_viewer (list)registry.pull_token_creator (create)libraries.java.pull_token_creator (create)libraries.python.pull_token_creator (create)libraries.javascript.pull_token_creator (create) identity_providers Configure custom identity providers (OIDC, SAML) for authentication owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list) libraries.artifacts View Chainguard Library artifact metadata and information owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list) libraries.entitlements Manage access permissions for Chainguard Libraries owner (create, delete, list)editor (list)viewer (list)limited_owner (list)console_viewer (list)libraries.java.pull (list)libraries.python.pull (list)libraries.javascript.pull (list)libraries.java.pull_token_creator (list)libraries.python.pull_token_creator (list)libraries.javascript.pull_token_creator (list) libraries.java Access Chainguard Libraries for Java owner (list)libraries.java.pull (list)libraries.java.pull_token_creator (list) libraries.javascript Access Chainguard Libraries for JavaScript owner (list)libraries.javascript.pull (list)libraries.javascript.pull_token_creator (list) libraries.python Access Chainguard Libraries for Python owner (list)libraries.python.pull (list)libraries.python.pull_token_creator (list) manifest Access and manage container image manifests owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull (list)registry.pull_token_creator (list)libraries.javascript.pull_token_creator (create, delete, list, update) manifest.metadata View container image manifest metadata and attestations owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull (list)registry.pull_token_creator (list)libraries.javascript.pull_token_creator (list) record_signatures View cryptographic signature verification records owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull (list)registry.pull_token_creator (list)libraries.javascript.pull_token_creator (list) registry.entitlements View registry access entitlements and permissions owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list) repo Create and manage container repositories (including Custom Assembly resources) owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull (list)registry.pull_token_creator (list)libraries.javascript.pull_token_creator (create, delete, list, update) repo.blobs Download container image binary content owner (get)editor (get)viewer (get)limited_owner (get) role_bindings Assign roles to identities (users and service accounts) owner (create, delete, list, update)editor (list)viewer (list)limited_owner (create, list)console_viewer (list)registry.pull_token_creator (create)libraries.java.pull_token_creator (create)libraries.python.pull_token_creator (create)libraries.javascript.pull_token_creator (create) roles Create, modify, and manage custom Chainguard IAM roles owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull_token_creator (list)libraries.java.pull_token_creator (list)libraries.python.pull_token_creator (list)libraries.javascript.pull_token_creator (list) sboms Access Software Bill of Materials for packages and images owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull (list)registry.pull_token_creator (list) subscriptions Manage CloudEvent subscriptions for notifications and automation owner (create, delete, list, update)editor (create, delete, list, update)viewer (list)limited_owner (list)console_viewer (list) tag Manage Chainguard container image tags owner (create, delete, list, update)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull (list)registry.pull_token_creator (list) version View version information across all resources and assets owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list) vuln Create vulnerability reports and assessments owner (create) vuln_report Manage detailed vulnerability assessments for specific resources owner (create, list)editor (list)viewer (list)limited_owner (list)console_viewer (list) vuln_reports View high-level vulnerability report summaries owner (list)editor (list)viewer (list)limited_owner (list)console_viewer (list)registry.pull (list)registry.pull_token_creator (list) Role Capabilities Comparison The following table compares the general abilities of the built-in roles described in the previous summary:
Role Pull Images List Tags/Repos View SBOMs/Diffs Create IAM Resources Create Pull Tokens Libraries Access owner ✅ ✅ ✅ ✅ ✅ ✅ editor ✅ ✅ ✅ ✕ ✕ ✕ viewer ✅ ✅ ✅ ✕ ✕ ✕ limited_owner ✅ ✅ ✅ ✅ ✅ ✕ console_viewer ✕ ✅ ✅ ✕ ✕ ✕ registry.pull ✅ ✅ ✅ ✕ ✕ ✕ registry.pull_token_creator ✅ ✅ ✅ ✅ ✅ ✕ apk.pull ✕ ✕ ✕ ✕ ✕ ✕ libraries.java.pull ✕ ✕ ✕ ✕ ✕ ✅ libraries.java.pull_token_creator ✕ ✕ ✕ ✅ ✅ ✅ libraries.python.pull ✕ ✕ ✕ ✕ ✕ ✅ libraries.python.pull_token_creator ✕ ✕ ✕ ✅ ✅ ✅ libraries.javascript.pull ✕ ✕ ✕ ✕ ✕ ✅ libraries.javascript.pull_token_creator ✕ ✕ ✕ ✅ ✅ ✅ Notes
Pull Images/List Tags/Repos/View SBOMs: These capabilities refer to container registry operations relating to the manifest, repo, tag, and sboms resources APK Pull: The apk.pull role is specialized for APK package management, not container operations Console Viewer: Has the same broad list access as editor, but cannot pull blobs (apk.blobs, repo.blobs) and cannot create, update, or delete event subscriptions. This makes it a safe role for inviting team members who need Console visibility without the ability to pull images or APKs. Pull token creator roles The following roles are used for managing pull tokens for certain resources:
registry.pull_token_creator libraries.java.pull_token_creator libraries.python.pull_token_creator libraries.javascript.pull_token_creator For example, the libraries.*.pull_token_creator roles are focused on their respective library ecosystems and don’t have container registry access.
These roles are able to create pull tokens because of the identity.create capability. However, none of these roles have the identity.list capability, meaning that they aren’t able to view the pull tokens they’ve created.
The reason for this is that Chainguard doesn’t distinguish pull token identities from other assumable identities at the IAM level. If these roles also had the identity.list capability, they would be able to view all the identities in that scope. By not including identity.list among their capabilities, the pull token creator roles have a more limited scope, as intended.
Learn More Overview of Roles and Role-bindings in Chainguard - Conceptual overview and basic management Overview of Chainguard IAM Model - Complete IAM architecture