Access control with IAM

This page describes the access control options that are available to you in Eventarc.

Overview

Eventarc uses Identity and Access Management (IAM) for access control.

For an introduction to IAM and its features, see the IAM overview. To learn how to grant and revoke access, see Manage access to projects, folders, and organizations.

For lists of the permissions and roles that Eventarc supports, see the following sections.

Enable the Eventarc API

To view and assign IAM roles for Eventarc, you must enable the Eventarc API for your project. You won't be able to see the Eventarc roles in the Google Cloud console until you enable the API.

Enable the API

Predefined roles

The following table lists the Eventarc predefined IAM roles with a corresponding list of all the permissions each role includes.

The predefined roles address most typical use cases. If your use case isn't covered by the predefined roles, you can create an IAM custom role.

Eventarc roles

Role Permissions

(roles/eventarc.admin)

Full control over all Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.*

  • eventarc.channelConnections.create
  • eventarc.channelConnections.delete
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channelConnections.publish
  • eventarc.channelConnections.setIamPolicy
  • eventarc.channels.attach
  • eventarc.channels.create
  • eventarc.channels.delete
  • eventarc.channels.get
  • eventarc.channels.getIamPolicy
  • eventarc.channels.list
  • eventarc.channels.publish
  • eventarc.channels.setIamPolicy
  • eventarc.channels.undelete
  • eventarc.channels.update
  • eventarc.enrollments.create
  • eventarc.enrollments.delete
  • eventarc.enrollments.get
  • eventarc.enrollments.getIamPolicy
  • eventarc.enrollments.list
  • eventarc.enrollments.setIamPolicy
  • eventarc.enrollments.update
  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent
  • eventarc.googleApiSources.create
  • eventarc.googleApiSources.delete
  • eventarc.googleApiSources.get
  • eventarc.googleApiSources.getIamPolicy
  • eventarc.googleApiSources.list
  • eventarc.googleApiSources.setIamPolicy
  • eventarc.googleApiSources.update
  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update
  • eventarc.locations.get
  • eventarc.locations.list
  • eventarc.messageBuses.create
  • eventarc.messageBuses.delete
  • eventarc.messageBuses.get
  • eventarc.messageBuses.getIamPolicy
  • eventarc.messageBuses.list
  • eventarc.messageBuses.publish
  • eventarc.messageBuses.setIamPolicy
  • eventarc.messageBuses.update
  • eventarc.messageBuses.use
  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.pipelines.create
  • eventarc.pipelines.delete
  • eventarc.pipelines.get
  • eventarc.pipelines.getIamPolicy
  • eventarc.pipelines.list
  • eventarc.pipelines.setIamPolicy
  • eventarc.pipelines.update
  • eventarc.providers.get
  • eventarc.providers.list
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.setIamPolicy
  • eventarc.triggers.undelete
  • eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc channel connections.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.developer)

Access to read and write Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.enrollments.create

eventarc.enrollments.delete

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.enrollments.update

eventarc.googleApiSources.create

eventarc.googleApiSources.delete

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleApiSources.update

eventarc.googleChannelConfigs.*

  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.operations.*

  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list

eventarc.pipelines.create

eventarc.pipelines.delete

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.pipelines.update

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

Lowest-level resources where you can grant this role:

  • Project

eventarc.events.*

  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent

(roles/eventarc.messageBusAdmin)

Full control over Message Buses resources.

eventarc.messageBuses.create

eventarc.messageBuses.delete

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.update

eventarc.messageBuses.use

(roles/eventarc.messageBusUser)

Access to publish to or bind to a Message Bus.

eventarc.messageBuses.get

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.use

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.use

eventarc.operations.get

eventarc.operations.list

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list

For more information on Eventarc Advanced roles and permissions, see All roles and permissions.

Project-level IAM management

At the project level, you can grant, change, and revoke IAM roles using the Google Cloud console, the IAM API, or the Google Cloud CLI. For instructions, see Manage access to projects, folders, and organizations.