Roles and permissions for Google Kubernetes Engine (GKE)

This document shows you how to grant Identity and Access Management (IAM) roles to service accounts so that Eventarc can receive events from Google Cloud and third-party sources, and deliver the events to GKE and Cloud Run for Anthos services.

For more information about access control options in Eventarc, see Access control.

Required IAM roles

Grant the appropriate roles to the service accounts.

Cloud Audit Logs

To receive events from Google Cloud sources, Eventarc uses Cloud Audit Logs to deliver to a GKE target.

Service account roles

  • Grant the Pub/Sub Subscriber role (roles/pubsub.subscriber) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/pubsub.subscriber"
    
  • Grant the Monitoring Metric Writer role (roles/monitoring.metricWriter) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/monitoring.metricWriter"
    
  • Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/eventarc.eventReceiver"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.
  • PROJECT_NUMBER: the Google Cloud project number.

Cloud Storage

Eventarc sends event notifications directly from a Cloud Storage bucket, to the target GKE service.

Service account roles

  • Grant the Pub/Sub Subscriber role (roles/pubsub.subscriber) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/pubsub.subscriber"
    
  • Grant the Monitoring Metric Writer role (roles/monitoring.metricWriter) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/monitoring.metricWriter"
    
  • Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/eventarc.eventReceiver"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.
  • PROJECT_NUMBER: the Google Cloud project number.

Cloud Storage service account role

Grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the service account:

SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT" \
    --role='roles/pubsub.publisher'

Replace PROJECT_ID with the Google Cloud project ID.

Pub/Sub topic

To receive events from third-party sources, Eventarc uses Pub/Sub notifications to deliver to a GKE target.

Service account roles

  • Grant the Pub/Sub Subscriber role (roles/pubsub.subscriber) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/pubsub.subscriber"
    
  • Grant the Monitoring Metric Writer role (roles/monitoring.metricWriter) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member "serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_NUMBER.iam.gserviceaccount.com" \
      --role "roles/monitoring.metricWriter"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.
  • PROJECT_NUMBER: the Google Cloud project number.