Eventarc roles and permissions

This document shows you how to set Identity and Access Management (IAM) roles, permissions, and flags to receive Eventarc events from Google Cloud and third-party sources and deliver the events to authenticated or unauthenticated Cloud Run target services.

This document shows you how to do the following:

  • Grant specific IAM roles to the user.
  • Grant specific roles and permissions to the trigger's service account. Eventarc uses a customer-provided service account as the identity of the trigger.
  • If you enabled the Pub/Sub service account on or before April 8, 2021, grant the iam.serviceAccountTokenCreator role to the Pub/Sub service account.
  • If you choose to use the gcloud command-line tool, set the Cloud Run flag appropriately when you deploy container images or revisions from a source repository to Cloud Run.

For more information about access control options in Eventarc, see Access control.

Eventarc trigger types and roles

Eventarc supports the following trigger types:

  • Cloud Audit Logs triggers: To receive events from Google Cloud sources, Eventarc uses Cloud Audit Logs.
  • Cloud Pub/Sub triggers: To receive events from third-party sources, Eventarc uses Pub/Sub notifications.
Cloud Audit Logs Pub/Sub
Authenticated invocations of Cloud Run User:
  • roles/eventarc.admin
  • roles/iam.serviceAccountUser
User:
  • roles/eventarc.admin
  • roles/iam.serviceAccountUser
Trigger service account:
  • roles/run.invoker
  • roles/eventarc.eventReceiver
Trigger service account:
  • roles/run.invoker
Pub/Sub service account:
  • roles/iam.serviceAccountTokenCreator
Pub/Sub service account:
  • roles/iam.serviceAccountTokenCreator
Cloud Run flag:
  • Not applicable
Cloud Run flag:
  • N/A
Cloud Audit Logs Pub/Sub
Unauthenticated invocations of Cloud Run User:
  • roles/eventarc.admin
  • roles/iam.serviceAccountUser
User:
  • roles/eventarc.admin
Trigger service account:
  • roles/eventarc.eventReceiver
Trigger service account:
  • N/A
Pub/Sub service account:
  • roles/iam.serviceAccountTokenCreator
Pub/Sub service account:
  • roles/iam.serviceAccountTokenCreator
Cloud Run flag:
  • --allow-unauthenticated
Cloud Run flag:
  • --allow-unauthenticated

Authenticated invocations of Cloud Run

Cloud audit logs

To ensure that you receive events from Google Cloud sources, while delivering to an authenticated Cloud Run target:

User roles

eventarc.admin

Grant the following IAM role to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:USER_EMAIL" \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

iam.serviceAccountUser

Grant the following IAM role to the user:

gcloud iam service-accounts add-iam-policy-binding \
 SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
   --member="user:USER_EMAIL" \
   --role="roles/iam.serviceAccountUser"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

run.invoker

Grant the following IAM role to the service account of the trigger:

gcloud run services add-iam-policy-binding SERVICE_ACCOUNT_NAME \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/run.invoker'

Replace the following values:

  • SERVICE_ACCOUNT_NAME: name of the trigger's service account.
  • SERVICE_ACCOUNT_USER_EMAIL: the email address for the service account.
eventarc.eventReceiver

Grant the following IAM role to the service account of the trigger:

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/eventarc.eventReceiver'

Replace SERVICE_ACCOUNT_USER_EMAIL with the email address for the service account.

Pub/Sub service account role

iam.serviceAccountTokenCreator

This role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the authenticated Cloud Run target using the following code:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/helloworld-events

Replace SERVICE_ACCOUNT_ID with the service account ID.

Pub/Sub

To ensure that you receive events from third-party sources, while delivering to an authenticated Cloud Run target:

User roles

eventarc.admin

Grant the following IAM role to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:USER_EMAIL" \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

iam.serviceAccountUser

Grant the following IAM role to the user:

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
     --member="user:USER_EMAIL" \
     --role="roles/iam.serviceAccountUser"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

run.invoker

Grant the following IAM role to the service account of the trigger:

gcloud run services add-iam-policy-binding SERVICE_ACCOUNT_NAME \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/run.invoker'

Replace the following values:

  • SERVICE_ACCOUNT_NAME: name of the service account.
  • SERVICE_ACCOUNT_USER_EMAIL: the email address for the service account.

Pub/Sub service account role

iam.serviceAccountTokenCreator

This role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the authenticated Cloud Run target using the following code:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/helloworld-events

Replace SERVICE_ACCOUNT_ID with the service account ID.

Unauthenticated invocations of Cloud Run

Cloud audit logs

To ensure that you receive events from Google Cloud sources, while delivering to an unauthenticated Cloud Run target:

User roles

eventarc.admin

Grant the following IAM role to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:USER_EMAIL" \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

iam.serviceAccountUser

Grant the following IAM role to the user:

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
    --member="user:USER_EMAIL" \
    --role="roles/iam.serviceAccountUser"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

eventarc.eventReceiver

Grant the following IAM role to the service account of the trigger:

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/eventarc.eventReceiver'

Replace SERVICE_ACCOUNT_USER_EMAIL with the email address for the service account.

Pub/Sub service account role

iam.serviceAccountTokenCreator

This role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the unauthenticated Cloud Run target using the following code:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/helloworld-events \
  --allow-unauthenticated

Replace SERVICE_ACCOUNT_ID with the service account ID.

Pub/Sub

To ensure that you receive events from third-party sources, while delivering to an unauthenticated Cloud Run target:

User roles

eventarc.admin

Grant the following IAM role to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:USER_EMAIL" \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

N/A

Pub/Sub service account role

iam.serviceAccountTokenCreator

This role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the unauthenticated Cloud Run target using the following code:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/helloworld-events \
  --allow-unauthenticated

Replace SERVICE_ACCOUNT_ID with the service account ID.