Access control with IAM (original) (raw)
This page explains the Identity and Access Management roles available for Memorystore for Redis Cluster, and the associated permissions for those roles. Memorystore for Redis Cluster and Memorystore for Redis use the same IAM roles. The permissions these roles grant for Memorystore for Redis Cluster are listed on this page. The permissions these roles grant for Memorystore for Redis are listed on theMemorystore for Redis Access controlpage. Although the permissions are listed separately on both pages, the roles grant permissions for both Memorystore for Redis Cluster and Memorystore for Redis.
Memorystore for Redis Cluster uses a different permissions naming structure than Memorystore for Redis:
- Memorystore for Redis Cluster instances use
redis.clusters.[PERMISSION]. - Memorystore for Redis instances use
redis.instances.[PERMISSION].
To view more information about the Redis Admin role, see Predefined roles.
To learn how to grant the role to a user in your project, see Grant or revoke a single role.
Predefined roles
The following predefined roles are available for Memorystore for Redis Cluster. If you update a role for an Identity and Access Management principal, the change takes several minutes to take effect.
| Role | Name | Redis permissions | Description |
|---|---|---|---|
| roles/owner | Owner | redis.* | Full access and control for all Google Cloud resources; manage user access |
| roles/editor | Editor | All redis permissions except for *.getIamPolicy &.setIamPolicy | Read-write access to all Google Cloud and Redis resources (full control except for the ability to modify permissions) |
| roles/viewer | Viewer | redis.*.get redis.*.list | Read-only access to all Memorystore for Redis Cluster resources. However, you can't use this permission to view data that's associated with the resources. |
| roles/redis.admin | Redis Admin | redis.* | Full control for all Memorystore for Redis Cluster resources. |
| roles/redis.editor | Redis Editor | All redis permissions except forredis.clusters.create redis.clusters.delete redis.clusters.connect | Manage Memorystore for Redis Cluster instances. Can't create or delete instances. |
| roles/redis.viewer | Redis Viewer | All redis permissions except forredis.clusters.create redis.clusters.delete redis.clusters.update redis.clusters.connect redis.operations.delete | Read-only access to all Memorystore for Redis Cluster resources. |
| roles/redis.dbConnectionUser | Redis Database Connection User | redis.clusters.connect | A role that you can assign to users who need to authenticate with IAM authentication. |
Permissions and their roles
The following table lists each permission that Memorystore for Redis Cluster supports and the Memorystore for Redis roles that include it:
| Permission | Redis role | Basic role |
|---|---|---|
| redis.clusters.list | Redis AdminRedis EditorRedis Viewer | Viewer |
| redis.clusters.get | Redis AdminRedis EditorRedis Viewer | Viewer |
| redis.clusters.create | Redis Admin | Owner |
| redis.clusters.update | Redis AdminRedis Editor | Editor |
| redis.clusters.connect | Redis AdminRedis Database Connection User | Owner |
| redis.clusters.rescheduleMaintenance | Redis Admin | Owner |
Custom roles
If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles. When you create custom roles for Memorystore for Redis Cluster, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list. Otherwise, the Google Cloud console will not function correctly for Memorystore for Redis Cluster. For more information, seePermission dependencies. To learn how to create a custom role, see Creating a custom role.
In-transit encryption permissions
The table below shows permissions required for enabling and managing In-transit encryptionfor Memorystore for Redis Cluster.
| Permissions needed | Create a Memorystore instance with in-transit encryption | Download the Certificate Authority |
|---|---|---|
| redis.clusters.create | ✓ | X |
| redis.clusters.get | X | ✓ |
Network connectivity policy creation role
The permissions described in this section are needed for the Network Admin who is establishing a service connection policy for Memorystore for Redis Cluster, as described in the Networking page.
To establish the policy required for Memorystore cluster creation, the Network Admin must have the networkconnectivity.googleapis.com/consumerNetworkAdminrole, which grants the following permissions:
- networkconnectivity.serviceconnectionpolicies.create
- networkconnectivity.serviceconnectionpolicies.list
- networkconnectivity.serviceconnectionpolicies.get
- networkconnectivity.serviceconnectionpolicies.delete
- networkconnectivity.serviceconnectionpolicies.update