Controlling access to other GCP resources

The Cloud Healthcare API does not have automatic access to other Google Cloud (Google Cloud) resources in your project, such as Cloud Storage buckets and BigQuery datasets. When accessing these resources, the Cloud Healthcare API uses a Google-managed service account called the Cloud Healthcare Service Agent.

To perform operations such as notifying Pub/Sub topics of changes, importing data from Cloud Storage buckets, exporting data to BigQuery datasets, and so on, you must first grant the service account the Cloud Identity and Access Management (Cloud IAM) permissions necessary to access the resources outside of the Cloud Healthcare API. This page describes which permissions are required for various operations, and how to grant them.

To learn more about using Cloud IAM to configure permissions within the Cloud Healthcare API, see Access control.

The Cloud Healthcare Service Agent

The Cloud Healthcare Service Agent service account is automatically created when you enable the Cloud Healthcare API. Its member name is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com. To find the PROJECT_NUMBER for your Google Cloud project, see Identifying projects.

You can view detailed information about the Cloud Healthcare Service Agent service account, such as the roles it has been granted, on the Cloud Identity and Access Management page in Google Cloud Console.

DICOM, FHIR, and HL7v2 store Pub/Sub permissions

Changes within DICOM, FHIR, and HL7v2 stores can be sent to a Pub/Sub topic. To learn how to do so, see Using Cloud Pub/Sub for Notifications.

The methods within these stores require additional permissions on the Cloud Healthcare Service Agent service account to publish changes to a Pub/Sub topic.

You can use Google Cloud Console or the gcloud tool to add the required pubsub.publisher role to your project's service account:

Console

  1. Make sure that you have enabled the Cloud Healthcare API.
  2. On the Cloud IAM page in Google Cloud Console, verify that the role Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent service account. The service account member is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com.
  3. In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
  4. Click Add another role and then search for the Pub/Sub Publisher role.
  5. Select the role and then click Save. The pubsub.publisher role is added to the service account.

gcloud

To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER, see Identifying projects.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/pubsub.publisher

DICOM store Cloud Storage permissions

The projects.locations.datasets.dicomStores.import and projects.locations.datasets.dicomStores.export methods require additional permissions on the Cloud Healthcare Service Agent service account to import data from and export data to Cloud Storage.

Importing data from Cloud Storage

You can use Google Cloud Console or the gcloud tool to add the required storage.objectViewer role to your project's service account:

Console

  1. Make sure that you have enabled the Cloud Healthcare API.
  2. On the Cloud IAM page in Google Cloud Console, verify that the role Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent service account. The service account member is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com.
  3. In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
  4. Click Add another role and then search for the Storage Object Viewer role.
  5. Select the role and then click Save. The storage.objectViewer role is then added to the service account.

gcloud

To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER, see Identifying projects.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/storage.objectViewer

Exporting data to Cloud Storage

You can use Google Cloud Console or the gcloud tool to add the required storage.objectAdmin role to your project's service account:

Console

  1. Make sure that you have enabled the Cloud Healthcare API.
  2. On the Cloud IAM page in Google Cloud Console, verify that the role Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent service account. The service account member is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com.
  3. In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
  4. Click Add another role and then search for the Storage Object Admin role.
  5. Select the role and then click Save. The storage.objectAdmin role is then added to the service account.

gcloud

To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER, see Identifying projects.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/storage.objectAdmin

DICOM store BigQuery permissions

The projects.locations.datasets.dicomStores.export method requires additional permissions on the Cloud Healthcare Service Agent service account to export DICOM metadata to BigQuery.

You can use Google Cloud Console or the gcloud tool to add the required bigquery.dataEditor and bigquery.jobUser roles to your project's service account:

Console

  1. Make sure that you have enabled the Cloud Healthcare API.
  2. On the Cloud IAM page in Google Cloud Console, verify that the role Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent service account. The service account member is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com.
  3. In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
  4. Click Add another role and then search for the BigQuery Data Editor and BigQuery Job User roles.
  5. Select the role and then click Save. The bigquery.dataEditor and bigquery.jobUser roles are then added to the service account.

gcloud

To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER, see Identifying projects.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/bigquery.dataEditor
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/bigquery.jobUser

If, after setting the BigQuery permissions, you encounter an error when exporting DICOM metadata, you might have to grant additional permissions on the BigQuery dataset. To do so, complete the following steps:

  1. Navigate to Controlling access to a dataset.
  2. Using one of the available methods, grant the Cloud Healthcare Service Agent's email address WRITER access to the BigQuery dataset. (Look for the email address that ends in @gcp-sa-healthcare.iam.gserviceaccount.com.)

For example, if your Cloud Healthcare Service Agent's email address is service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com, and if you are using the BigQuery web UI, you would:

  1. Follow the Web UI instructions. Note that these instructions apply to the classic BigQuery web UI.
  2. In the Add people field, enter service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com and select the Can edit role.

Exporting DICOM metadata to a different Google Cloud project permissions

To export DICOM metadata from a DICOM store in one project to a BigQuery table in a different project, you must add the source project's Cloud Healthcare Service Agent service account to the destination project and grant the service account the bigquery.dataEditor and bigquery.jobUser roles.

Before configuring the permissions in the destination project, navigate to the source project and complete the steps in DICOM store BigQuery permissions. Note the address of the Cloud Healthcare Service Agent service account (this is the project service account that ends in @gcp-sa-healthcare.iam.gserviceaccount.com) in the source project, as it will be used in the following steps.

Add the Cloud Healthcare Service Agent service account from the source project to the destination project and grant the service account the required BigQuery permissions by completing the following steps:

Console

  1. Open the destination project's Cloud IAM page in Google Cloud Console.
  2. Click Add.
  3. In the New members field, enter the address of the source project's Cloud Healthcare Service Agent service account.
  4. Click Add another role and then search for the BigQuery Data Editor and BigQuery Job User roles.
  5. Select the role and then click Save. The source project's Cloud Healthcare Service Agent service account now has bigquery.dataEditor and bigquery.jobUser roles on the destination project.

gcloud

To add the Cloud Healthcare Service Agent service account from the source project to the destination project and grant the service account the required BigQuery permissions, run the gcloud projects add-iam-policy-binding command. To find the project ID and project number for your source and destination projects, see Identifying projects.

gcloud projects add-iam-policy-binding DESTINATION_PROJECT_ID \
    --member=serviceAccount:service-SOURCE_PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/bigquery.dataEditor
gcloud projects add-iam-policy-binding DESTINATION_PROJECT_ID \
    --member=serviceAccount:service-SOURCE_PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/bigquery.jobUser

FHIR store Cloud Storage permissions

The projects.locations.datasets.fhirStores.import and projects.locations.datasets.fhirStores.export methods require additional permissions on the Cloud Healthcare Service Agent service account to import FHIR resources from and export FHIR resources to Cloud Storage.

Determine the role that the service account requires based on the actions that the application performs:

  • If the application exports FHIR resources from a FHIR store to Cloud Storage, the service account requires the storage.objectCreator role.
  • If the application imports FHIR resources from Cloud Storage to a FHIR store, the service account requires the storage.objectViewer role.

Importing FHIR resources from Cloud Storage

You can use Google Cloud Console or the gcloud tool to add the required storage.objectViewer role to your project's service account:

Console

  1. Make sure that you have enabled the Cloud Healthcare API.
  2. On the Cloud IAM page in Google Cloud Console, verify that the role Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent service account. The service account member is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com.
  3. In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
  4. Click Add another role and then search for the Storage Object Viewer role.
  5. Select the role and then click Save. The storage.objectViewer role is then added to the service account.

gcloud

To add the storage.objectViewer role to the service account, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER, see Identifying projects.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/storage.objectViewer

Exporting FHIR resources to Cloud Storage

You can use Google Cloud Console or the gcloud tool to add the required storage.objectCreator role to your project's service account:

Console

  1. Make sure that you have enabled the Cloud Healthcare API.
  2. On the Cloud IAM page in Google Cloud Console, verify that the role Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent service account. The service account member is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com.
  3. In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
  4. Click Add another role and then search for the Storage Object Creator role.
  5. Select the role and then click Save. The storage.objectCreator role is then added to the service account.

gcloud

To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER, see Identifying projects.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/storage.objectCreator

FHIR store BigQuery permissions

The projects.locations.datasets.fhirStores.export method requires additional permissions on the Cloud Healthcare Service Agent service account to export FHIR resources to BigQuery.

You can use Google Cloud Console or the gcloud tool to add the required bigquery.dataEditor and bigquery.jobUser roles to your project's service account:

Console

  1. Make sure that you have enabled the Cloud Healthcare API.
  2. On the Cloud IAM page in Google Cloud Console, verify that the role Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent service account. The service account member is service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com.
  3. In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
  4. Click Add another role and then search for the BigQuery Data Editor and BigQuery Job User roles.
  5. Select the role and then click Save. The bigquery.dataEditor and bigquery.jobUser roles are then added to the service account.

gcloud

To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER, see Identifying projects.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/bigquery.dataEditor
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com \
    --role=roles/bigquery.jobUser

If, after setting the BigQuery permissions, you encounter an error when exporting FHIR resources, you might have to grant additional permissions on the BigQuery dataset. To do so, complete the following steps:

  1. Navigate to Controlling access to a dataset.
  2. Using one of the available methods, grant the Cloud Healthcare Service Agent's email address WRITER access to the BigQuery dataset. (Look for the email address that ends in @gcp-sa-healthcare.iam.gserviceaccount.com.)

For example, if your Cloud Healthcare Service Agent's email address is service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com, and if you are using the BigQuery web UI, you would:

  1. Follow the Web UI instructions. Note that these instructions apply to the classic BigQuery web UI.
  2. In the Add people field, enter service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com and select the Can edit role.
Hat Ihnen diese Seite weitergeholfen? Teilen Sie uns Ihr Feedback mit:

Feedback geben zu...

Cloud Healthcare API