Access control with IAM (original) (raw)

Overview

The Transcoder API uses Identity and Access Management (IAM) for access control.

You can configure access control for the Transcoder API at the project level. For example, you can grant access for developers to list and get all jobs within a project.

For a detailed description of IAM and its features, see theIAM documentation. In particular, see the section onmanaging IAM policies.

Every Transcoder API method requires the caller to have the necessary permissions. For more information, see Permissions andRoles.

Permissions

This section summarizes the Transcoder API permissions that IAM supports.

Required permissions

The following tables list the IAM permissions that are associated with the Transcoder API.

Job method	Required permissions
jobs.create	transcoder.jobs.create on the parent Google Cloud project.
jobs.delete	transcoder.jobs.delete on the parent Google Cloud project.
jobs.get	transcoder.jobs.get on the parent Google Cloud project.
jobs.list	transcoder.jobs.list on the parent Google Cloud project.

Job template method	Required permissions
jobTemplates.create	transcoder.jobTemplates.create on the parent Google Cloud project.
jobTemplates.delete	transcoder.jobTemplates.delete on the parent Google Cloud project.
jobTemplates.get	transcoder.jobTemplates.get on the parent Google Cloud project.
jobTemplates.list	transcoder.jobTemplates.list on the parent Google Cloud project.

Roles

The following table lists the Transcoder API IAM roles, including the permissions associated with each role:

IAM role	Permissions
Transcoder Viewer (roles/transcoder.viewer) Viewer of all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobTemplates.listEffectiveTags transcoder.jobTemplates.listTagBindings transcoder.jobs.get transcoder.jobs.list transcoder.jobs.listEffectiveTags transcoder.jobs.listTagBindings
Transcoder Admin (roles/transcoder.admin) Full access to all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.* transcoder.jobTemplates.create transcoder.jobTemplates.createTagBinding transcoder.jobTemplates.delete transcoder.jobTemplates.deleteTagBinding transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobTemplates.listEffectiveTags transcoder.jobTemplates.listTagBindings transcoder.jobs.create transcoder.jobs.createTagBinding transcoder.jobs.delete transcoder.jobs.deleteTagBinding transcoder.jobs.get transcoder.jobs.list transcoder.jobs.listEffectiveTags transcoder.jobs.listTagBindings

IAM role

Permissions

Transcoder Viewer (roles/transcoder.viewer) Viewer of all transcoder resources.

resourcemanager.projects.get resourcemanager.projects.list transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobTemplates.listEffectiveTags transcoder.jobTemplates.listTagBindings transcoder.jobs.get transcoder.jobs.list transcoder.jobs.listEffectiveTags transcoder.jobs.listTagBindings

Transcoder Admin (roles/transcoder.admin) Full access to all transcoder resources.

resourcemanager.projects.get resourcemanager.projects.list transcoder.* transcoder.jobTemplates.create transcoder.jobTemplates.createTagBinding transcoder.jobTemplates.delete transcoder.jobTemplates.deleteTagBinding transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobTemplates.listEffectiveTags transcoder.jobTemplates.listTagBindings transcoder.jobs.create transcoder.jobs.createTagBinding transcoder.jobs.delete transcoder.jobs.deleteTagBinding transcoder.jobs.get transcoder.jobs.list transcoder.jobs.listEffectiveTags transcoder.jobs.listTagBindings

The roles roles/owner and roles/editor grant the permissions associated with the roles/transcoder.admin role. The role roles/viewer grants permissions associated with the roles/transcoder.viewer role.

The roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud services as well. For more information about roles, seeUnderstanding roles.

Access to Cloud Storage and Pub/Sub

By default, the Transcoder API has access to all of your project's Cloud Storage buckets and Pub/Sub topics. When you create your first job, the Transcoder API creates a service account using the following naming convention:

service-PROJECT_NUMBER@gcp-sa-transcoder.iam.gserviceaccount.com

PROJECT_NUMBER is the project number of your project with the Transcoder API enabled. This service account is granted the Transcoder Service Agent role and has permissions to do the following:

Download and upload files to your project's Cloud Storage buckets
Publish status updates to your project's Pub/Sub topics

Limiting access

To limit this access, remove the Transcoder Service Agent role from the service account and replace it with more fine-grained access. Follow these steps:

Go to theIAM page (Permissions tab) in the Google Cloud console.
Find the service account with the Transcoder Service Agent role and select the edit button.
Delete the Transcoder Service Agent role from the service account.
Grant access to the service account for each individual Cloud Storage bucket:
1. Go to the Cloud Storage Browserpage.
2. Click a bucket.
3. Select the Permissions tab.
4. Click Add.
5. In the New principals box, type the name of the service account.
6. Under Role, select Storage Object Admin.
7. Click Save. The Transcoder API now has access to the bucket.
(Optional) Grant access to the service account for any configured Pub/Sub topic:
1. Go to the Pub/Sub topicspage.
2. Click a topic.
3. Select the Permissions tab.
4. Click Add principal.
5. In the New principals box, type the name of the service account.
6. Under Role, select Pub/Sub Publisher.
7. Click Save. The Transcoder API now has access to the topic.