This document shows you how to grant Identity and Access Management (IAM) roles and permissions to support routing events using Eventarc from Google Cloud and other sources to GKE destinations, including the public endpoints of private and public services running in a GKE cluster.
Grant project-wide permissions to the principal invoking the Eventarc APIs (for example, the Eventarc trigger creator):
- The Eventarc Admin role allows you full control over all Eventarc resources, including specifying a service account for the trigger when you create it.
- The Service Account User role allows a principal to impersonate and use a service account. The service account is associated with an Eventarc trigger and represents the identity of the trigger.
Grant Eventarc trigger permissions to the trigger service account:
- The Eventarc Event Receiver role allows your Eventarc trigger to receive events from event providers. You don't need to grant the role if you are routing direct events from Cloud Pub/Sub.
- The Pub/Sub Subscriber role allows your Eventarc trigger to consume messages from Pub/Sub and to attach subscriptions to a topic.
- The Monitoring Metric Writer role allows Eventarc's event forwarder to write metrics using Cloud Monitoring and other systems that provide metrics.
Grant permissions to Google service agents:
- If you are creating a trigger for direct events from Cloud Storage, grant the Pub/Sub Publisher role.
- If you enabled the Cloud Pub/Sub service agent on or before April 8, 2021, grant the Service Account Token Creator role.
For more information about granting IAM roles, see Manage access. You might also be able to get the required permissions through custom roles or other predefined roles.
Grant project-wide permissions
If you are the project creator, you are granted the
basic Owner role (roles/owner). By
default, this role includes the permissions necessary for full access to most
Google Cloud resources. Otherwise, required roles must be granted by an
administrator on the appropriate resource to the appropriate principal (also
known as a member).
For example, a principal can be a Google Account (for end users) or a service account (for applications and compute workloads). Each principal has its own identifier, which is typically an email address.
The Eventarc Admin role (
roles/eventarc.admin) allows you full control over all Eventarc resources.Grant the role on the project:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role=roles/eventarc.adminReplace the following:
PROJECT_ID: your Google Cloud project ID.PRINCIPAL: an identifier for the trigger creator which usually has the following form:PRINCIPAL_TYPE:ID. For example,user:my-user@example.com. For a full list of the possiblePRINCIPAL_TYPEvalues, see the Policy Binding reference.
The Service Account User role (
roles/iam.serviceAccountUser) allows a principal to run operations as a service account.When creating an Eventarc trigger, you need this role so that you can associate a user-managed service account with the trigger and which represents its identity. For more information, see Roles for service account authentication.
You can either grant the role on the project to allow the principal to impersonate multiple service accounts or grant the role on the service account to allow the principal to impersonate only a specific service account.
Grant the role on the project:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role=roles/iam.serviceAccountUserOr, grant the role on the service account:
gcloud iam service-accounts add-iam-policy-binding \ projects/SERVICE_ACCOUNT_PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_NAME@SERVICE_ACCOUNT_PROJECT_ID.iam.gserviceaccount.com \ --member=PRINCIPAL \ --role=roles/iam.serviceAccountUserReplace the following:
SERVICE_ACCOUNT_PROJECT_ID: the Google Cloud project ID that contains the service account.SERVICE_ACCOUNT_NAME: the name of the service account.
Grant Eventarc trigger permissions
Every Eventarc trigger is associated with an IAM service account at the time the trigger is created. You can specify a user-managed service account that the trigger uses as its default identity. If you don't specify a service account during the trigger's creation, the trigger uses the Compute Engine default service account for its identity.
We recommend that you create your own user-managed service account to give you greater control and flexibility when managing your trigger.
Create a service account and note its name:
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"Replace the following:
SERVICE_ACCOUNT_NAME: the name of the service account. This name appears in the email address that identifies the service account.DESCRIPTION: an optional description of the service accountDISPLAY_NAME: a service account name to display in the Google Cloud console
Grant the Eventarc Event Receiver role (
roles/eventarc.eventReceiver) on the project to the service account associated with your Eventarc trigger so that it can receive events from event providers.Note that you don't need to grant the Eventarc Event Receiver role if you are routing direct events from Cloud Pub/Sub.
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/eventarc.eventReceiverReplace
SERVICE_ACCOUNT_NAMEwith the name of your service account that you noted in the previous step.Grant the Pub/Sub Subscriber role (
roles/pubsub.subscriber) on the project to the service account associated with your Eventarc trigger so that it can consume messages from Pub/Sub and attach subscriptions to a topic.gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/pubsub.subscriberReplace
SERVICE_ACCOUNT_NAMEwith the name of your service account that you noted previously.Grant the Monitoring Metric Writer role (
roles/monitoring.metricWriter) on the project to the service account associated with your Eventarc trigger so that Eventarc's event forwarder can write metrics using Cloud Monitoring and other systems that provide metrics.gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.metricWriter
Grant permissions to Google service agents
Some Google Cloud services have Google-managed service accounts that allow the services to access your resources. These service accounts are known as service agents. If an API requires a service agent, then Google creates the service agent after you activate and use the API.
If you are creating a trigger for direct events from Cloud Storage, to support publishing messages to a topic, grant the Pub/Sub Publisher role (
roles/pubsub.publisher) on the project to the Cloud Storage service agent:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com \ --role=roles/pubsub.publisherReplace
PROJECT_NUMBERwith your Google Cloud project number. You can find your project number on the Welcome page of the Google Cloud console or by running the following command:gcloud projects describe PROJECT_ID --format='value(projectNumber)'
If you enabled the Cloud Pub/Sub service agent on or before April 8, 2021, to support authenticated Pub/Sub push requests, grant the Service Account Token Creator role (
roles/iam.serviceAccountTokenCreator) on the project to the Pub/Sub service agent. Otherwise, this role is granted by default:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
What's next
Learn about access control options in Eventarc.
Learn about creating IAM policies for GKE.
Learn about best practices for using service accounts.
Learn how to describe a trigger and verify its associated service account.