Roles and permissions for Google Kubernetes Engine (GKE)

Stay organized with collections Save and categorize content based on your preferences.

This document shows you how to grant Identity and Access Management (IAM) roles to service accounts so that Eventarc can receive events from Google Cloud and third-party sources, and deliver the events to GKE (including private and public Cloud Run for Anthos services running in a GKE cluster).

For more information about access control options in Eventarc, see Access control.

Required IAM roles

Grant the appropriate roles to the service accounts.

Cloud audit logs

To receive events from Google Cloud sources, Eventarc uses Cloud Audit Logs to deliver to a GKE target.

User role

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role="roles/eventarc.admin"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: the principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Service account roles

  • Grant the Pub/Sub Subscriber role (roles/pubsub.subscriber) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/pubsub.subscriber"
    
  • Grant the Monitoring Metric Writer role (roles/monitoring.metricWriter) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/monitoring.metricWriter"
    
  • Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/eventarc.eventReceiver"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.

Direct events

Eventarc sends direct event notifications such as an update to a Cloud Storage bucket, to the target GKE service.

User role

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role="roles/eventarc.admin"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: the principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Service account roles

  • Grant the Pub/Sub Subscriber role (roles/pubsub.subscriber) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/pubsub.subscriber"
    
  • Grant the Monitoring Metric Writer role (roles/monitoring.metricWriter) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/monitoring.metricWriter"
    
  • Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/eventarc.eventReceiver"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.

Cloud Storage service account role

If you are creating a trigger for a direct Cloud Storage event (as opposed to other direct events), grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the Cloud Storage service account:

SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:${SERVICE_ACCOUNT}" \
    --role="roles/pubsub.publisher"

Replace PROJECT_ID with the Google Cloud project ID.

Pub/Sub topic

To receive events from third-party sources, Eventarc uses Pub/Sub notifications to deliver to a GKE target.

User role

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role="roles/eventarc.admin"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: the principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Service account roles

  • Grant the Pub/Sub Subscriber role (roles/pubsub.subscriber) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/pubsub.subscriber"
    
  • Grant the Monitoring Metric Writer role (roles/monitoring.metricWriter) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/monitoring.metricWriter"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.