Roles and permissions for Workflows

This document shows you how to grant Identity and Access Management (IAM) roles to service accounts so that Eventarc can receive events from Google Cloud and third-party sources, and deliver the events to a target workflow.

For more information about access control options in Eventarc, see Access control.

Required IAM roles

Grant the appropriate roles to the service accounts.

Cloud Audit Logs

You can execute a workflow using an Eventarc trigger that routes events from Google Cloud sources using Cloud Audit Logs.

User role

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role="roles/eventarc.admin"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: the principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Service account roles

  1. Grant the Workflows invoker role (roles/workflows.invoker) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/workflows.invoker"
    
  2. Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/eventarc.eventReceiver"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.

Direct events

You can execute a workflow using an Eventarc trigger that routes direct events such as an update to a Cloud Storage bucket.

User role

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role="roles/eventarc.admin"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: the principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Service account roles

  1. Grant the Workflows invoker role (roles/workflows.invoker) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/workflows.invoker"
    
  2. Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
      --role="roles/eventarc.eventReceiver"
    

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.

Cloud Storage service account role

If you are creating a trigger for a direct Cloud Storage event (as opposed to other direct events), grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the Cloud Storage service account:

SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:${SERVICE_ACCOUNT}" \
  --role="roles/pubsub.publisher"

Replace PROJECT_ID with the Google Cloud project ID.

Pub/Sub topic

You can execute a workflow using an Eventarc trigger that routes events from third-party sources using Pub/Sub notifications.

User role

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role="roles/eventarc.admin"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: the principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Service account roles

Grant the Workflows invoker role (roles/workflows.invoker) to the service account:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/workflows.invoker"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • MY_SERVICE_ACCOUNT: the name of your service account.