This document shows you how to set Identity and Access Management (IAM) roles, permissions, and flags to receive Eventarc events from Google Cloud and third-party sources, and deliver the events to authenticated or unauthenticated Cloud Run target services.
This document shows you how to do the following:
- Grant specific IAM roles to the user.
- Grant specific roles and permissions to the trigger's service account. Eventarc uses a customer-provided service account as the identity of the trigger.
- If you enabled the Pub/Sub service account on or before April 8,
2021, grant the
iam.serviceAccountTokenCreator
role to the Pub/Sub service account. - If you choose to use the Google Cloud CLI, set the Cloud Run flag appropriately when you deploy container images or revisions from a source repository to Cloud Run.
For more information about access control options in Eventarc, see Access control.
Eventarc event types and roles
Eventarc supports triggers for the following event types:
- Cloud Audit Logs events: Eventarc receives events from Google Cloud sources using Cloud Audit Logs.
- Direct events: Eventarc receives direct events, such as an update to a Cloud Storage bucket, from Google Cloud sources.
- Cloud Pub/Sub events: Eventarc receives events from third-party sources using Pub/Sub notifications.
Authenticated invocations of Cloud Run
Depending on the event type, grant the appropriate IAM roles, permissions, and flags for an authenticated Cloud Run target service:
Cloud Audit Logs
To ensure that you receive events from Google Cloud sources, while delivering to an authenticated Cloud Run target:
User roles
Grant the
Eventarc Admin role
(roles/eventarc.admin
) to the user:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role='roles/eventarc.admin'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Grant the
Service Account role
(roles/iam.serviceAccountUser
) to the user:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \ --member=PRINCIPAL \ --role='roles/iam.serviceAccountUser'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.SERVICE_ACCOUNT_ID
: the service account ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Trigger service account roles
Grant the
Cloud Run Invoker role
(roles/run.invoker
) to the service account
of the trigger:
gcloud run services add-iam-policy-binding SERVICE_NAME \ --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \ --role='roles/run.invoker'
Replace the following values:
SERVICE_NAME
: name of the service that should be invoked by this trigger.SERVICE_ACCOUNT_USER_EMAIL
: the email address for the service account.
Grant the
Eventarc Event Receiver role
(roles/eventarc.eventReceiver
) to the service account
of the trigger:
gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \ --role='roles/eventarc.eventReceiver'
Replace SERVICE_ACCOUNT_USER_EMAIL
with the email address for the
service account.
Pub/Sub service account role
The
Service Account Token Creator role
(roles/iam.serviceAccountTokenCreator
) is granted by default to the
Pub/Sub service
account.
Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.
export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')" gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \ --role='roles/iam.serviceAccountTokenCreator'
Cloud Run flag
Deploy the event receiver service to the authenticated Cloud Run target using the following command:
gcloud run deploy SERVICE_ACCOUNT_ID \ --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME
Replace the following values:
SERVICE_ACCOUNT_ID
: the service account ID.SERVICE_NAME
: the Cloud Run service name.
Direct events
To ensure that you receive events directly from the source, such as an update to a Cloud Storage bucket, while delivering to an authenticated Cloud Run target:
User roles
Grant the
Eventarc Admin role
(roles/eventarc.admin
) to the user:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role='roles/eventarc.admin'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Grant the
Service Account role
(roles/iam.serviceAccountUser
) to the user:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \ --member=PRINCIPAL \ --role='roles/iam.serviceAccountUser'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.SERVICE_ACCOUNT_ID
: the service account ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Cloud Storage service account role
If you are creating a trigger for a direct event from
Cloud Storage, grant the
Pub/Sub Publisher role
(roles/pubsub.publisher
)
to the service account of the Cloud Storage:
SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)" gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:${SERVICE_ACCOUNT}" --role='roles/pubsub.publisher'
Replace PROJECT_ID
with the Google Cloud
project ID.
Trigger service account roles
Grant the
Cloud Run Invoker role
(roles/run.invoker
) to the service account
of the trigger:
gcloud run services add-iam-policy-binding SERVICE_NAME \ --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \ --role='roles/run.invoker'
Replace the following values:
SERVICE_NAME
: name of the service that should be invoked by this trigger.SERVICE_ACCOUNT_USER_EMAIL
: the email address for the service account.
Grant the
Eventarc Event Receiver role
(roles/eventarc.eventReceiver
) to the service account
of the trigger:
gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \ --role='roles/eventarc.eventReceiver'
Replace SERVICE_ACCOUNT_USER_EMAIL
with the email address for the
service account.
Pub/Sub service account role
The
Service Account Token Creator role
(roles/iam.serviceAccountTokenCreator
) role is granted
by default to the Pub/Sub service
account.
Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.
export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')" gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \ --role='roles/iam.serviceAccountTokenCreator'
Cloud Run flag
Deploy the event receiver service to the authenticated Cloud Run target using the following command:
gcloud run deploy SERVICE_ACCOUNT_ID \ --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME
Replace the following values:
SERVICE_ACCOUNT_ID
with the service account ID.SERVICE_NAME
: Cloud Run service name.
Pub/Sub topic
To ensure that you receive events from third-party sources, while delivering to an authenticated Cloud Run target:
User roles
Grant the
Eventarc Admin role
(roles/eventarc.admin
) to the user:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role='roles/eventarc.admin'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Grant the
Service Account role
(roles/iam.serviceAccountUser
) to the user:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \ --member=PRINCIPAL \ --role='roles/iam.serviceAccountUser'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.SERVICE_ACCOUNT_ID
: the service account ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Trigger service account roles
Grant the
Cloud Run Invoker role
(roles/run.invoker
) to the service account
of the trigger:
gcloud run services add-iam-policy-binding SERVICE_NAME \ --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \ --role='roles/run.invoker'
Replace the following values:
SERVICE_NAME
: name of the service that should be invoked by this trigger.SERVICE_ACCOUNT_USER_EMAIL
: the email address for the service account.
Pub/Sub service account role
The
Service Account Token Creator role
(roles/iam.serviceAccountTokenCreator
) role is granted
by default to the Pub/Sub service
account.
Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.
export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')" gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \ --role='roles/iam.serviceAccountTokenCreator'
Cloud Run flag
Deploy the event receiver service to the authenticated Cloud Run target using the following command:
gcloud run deploy SERVICE_ACCOUNT_ID \ --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME
Replace the following values:
SERVICE_ACCOUNT_ID
: the service account ID.SERVICE_NAME
: the Cloud Run service name.
Unauthenticated invocations of Cloud Run
Depending on the event type, grant the appropriate IAM roles, permissions, and flags for an unauthenticated Cloud Run target service:
Cloud Audit Logs
To ensure that you receive events from Google Cloud sources, while delivering to an unauthenticated Cloud Run target:
User roles
Grant the
Eventarc Admin role
(roles/eventarc.admin
) to the user:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role='roles/eventarc.admin'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Grant the
Service Account role
(roles/iam.serviceAccountUser
) to the user:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \ --member=PRINCIPAL \ --role='roles/iam.serviceAccountUser'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.SERVICE_ACCOUNT_ID
: the service account ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Trigger service account roles
Grant the
Eventarc Event Receiver role
(roles/eventarc.eventReceiver
) to the service account
of the trigger:
gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \ --role='roles/eventarc.eventReceiver'
Replace SERVICE_ACCOUNT_USER_EMAIL
with the email address for the
service account.
Pub/Sub service account role
The
Service Account Token Creator role
(roles/iam.serviceAccountTokenCreator
) role is granted
by default to the Pub/Sub service
account.
Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.
export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')" gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \ --role='roles/iam.serviceAccountTokenCreator'
Cloud Run flag
Deploy the event receiver service to the unauthenticated Cloud Run target using the following command:
gcloud run deploy SERVICE_ACCOUNT_ID \ --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME \ --allow-unauthenticated
Replace the following values:
SERVICE_ACCOUNT_ID
: the service account ID.SERVICE_NAME
: the Cloud Run service name.
Direct events
To ensure that you receive events directly from the source, such as an update to a Cloud Storage bucket, while delivering to an unauthenticated Cloud Run target:
User roles
Grant the
Eventarc Admin role
(roles/eventarc.admin
) to the user:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role='roles/eventarc.admin'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Grant the
Service Account role
(roles/iam.serviceAccountUser
) to the user:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \ --member=PRINCIPAL \ --role='roles/iam.serviceAccountUser'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.SERVICE_ACCOUNT_ID
: the service account ID.PRINCIPAL
: The principal to add the binding for. Should be of the formuser|group|serviceAccount:email
ordomain:domain
.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Cloud Storage service account role
If you are creating a trigger for a direct event from
Cloud Storage, grant the
Pub/Sub Publisher role
(roles/pubsub.publisher
)
to the service account of the Cloud Storage:
SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)" gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:${SERVICE_ACCOUNT}" --role='roles/pubsub.publisher'
Replace PROJECT_ID
with the Google Cloud
project ID.
Trigger service account roles
Grant the
Eventarc Event Receiver role
(roles/eventarc.eventReceiver
) to the service account
of the trigger:
gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \ --role='roles/eventarc.eventReceiver'
Replace SERVICE_ACCOUNT_USER_EMAIL
with the email address for the
service account.
Pub/Sub service account role
The
Service Account Token Creator role
(roles/iam.serviceAccountTokenCreator
) role is granted
by default to the Pub/Sub service
account.
Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.
export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')" gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \ --role='roles/iam.serviceAccountTokenCreator'
Cloud Run flag
Deploy the event receiver service to the unauthenticated Cloud Run target using the following command:
gcloud run deploy SERVICE_ACCOUNT_ID \ --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME \ --allow-unauthenticated
Replace the following values:
SERVICE_ACCOUNT_ID
: the service account ID.SERVICE_NAME
: the Cloud Run service name.
Pub/Sub topic
To ensure that you receive events from third-party sources, while delivering to an unauthenticated Cloud Run target:
User roles
Grant the
Eventarc Admin role
(roles/eventarc.admin
) to the user:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role='roles/eventarc.admin'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.USER_EMAIL
: the email address for the user.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Trigger service account roles
N/A
Pub/Sub service account role
The
Service Account Token Creator role
(roles/iam.serviceAccountTokenCreator
) role is granted
by default to the Pub/Sub service
account.
Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.
export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')" gcloud projects add-iam-policy-binding $(gcloud config get-value project) \ --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \ --role='roles/iam.serviceAccountTokenCreator'
Cloud Run flag
Deploy the event receiver service to the unauthenticated Cloud Run target using the following command:
gcloud run deploy SERVICE_ACCOUNT_ID \ --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME \ --allow-unauthenticated
Replace the following values:
SERVICE_ACCOUNT_ID
: the service account ID.SERVICE_NAME
: the Cloud Run service name.