Overview
Live Stream API uses Identity and Access Management (IAM) for access control.
You can configure access control for the Live Stream API at the project level. For example, you can grant access for developers to list and get all events within a project.
For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.
Every Live Stream API method requires the caller to have the necessary permissions. For more information, see Permissions and Roles.
Permissions
This section summarizes the Live Stream API permissions that IAM supports.
Required permissions
The following tables list the IAM permissions that are associated with Live Stream API.
Assets method name | Required permissions |
---|---|
assets.create
|
livestream.assets.create on the parent location,
which is a specific Google Cloud project and data location
combination. |
assets.delete |
livestream.assets.delete on the asset resource. |
assets.get |
livestream.assets.get on the asset resource. |
assets.list
|
livestream.assets.list on the parent location, which
is a specific Google Cloud project and data location
combination. |
Channels method name | Required permissions |
---|---|
channels.create
|
livestream.channels.create on the parent location,
which is a specific Google Cloud project and data
location combination. |
channels.delete |
livestream.channels.delete on the channel resource. |
channels.get |
livestream.channels.get on the channel resource. |
channels.list
|
livestream.channels.list on the parent location,
which is a specific Google Cloud project and data
location combination. |
channels.patch |
livestream.channels.update on the channel resource. |
channels.start |
livestream.channels.start on the channel resource. |
channels.stop |
livestream.channels.stop on the channel resource. |
Clips method name | Required permissions |
---|---|
channels.clips.create
|
livestream.clips.create on the parent channel
for the resource. |
channels.clips.delete |
livestream.clips.delete on the clip resource. |
channels.clips.get |
livestream.clips.get on the clip resource. |
channels.clips.list
|
livestream.clips.list on the parent channel for
the resource. |
Events method name | Required permissions |
---|---|
channels.events.create
|
livestream.events.create on the parent channel
for the resource. |
channels.events.delete |
livestream.events.delete on the event resource. |
channels.events.get |
livestream.events.get on the event resource. |
channels.events.list
|
livestream.events.list on the parent channel
for the resource. |
Inputs method name | Required permissions |
---|---|
inputs.create
|
livestream.inputs.create on the parent location,
which is a specific Google Cloud project and data location
combination. |
inputs.delete |
livestream.inputs.delete on the input resource. |
inputs.get |
livestream.inputs.get on the input resource. |
inputs.list
|
livestream.inputs.list on the parent location, which
is a specific Google Cloud project and data location
combination. |
inputs.patch |
livestream.inputs.update on the input resource. |
Pools method name | Required permissions |
---|---|
pools.get |
livestream.pools.get on the pool resource. |
pools.patch |
livestream.pools.patch on the pool resource. |
Roles
The following table lists the Live Stream API IAM roles, including the permissions associated with each role:
IAM role | Permissions |
---|---|
Live Stream Viewer( Read access to Live Stream resources. |
|
Live Stream Editor( Full access to Live Stream resources. |
|
For more information about roles, see Understanding roles.
Access to Cloud Storage
By default, the Live Stream API has access to all of your project's Cloud Storage buckets. When you create your first live streaming event, the Live Stream API creates a service account using the following naming convention:
service-PROJECT_NUMBER@gcp-sa-livestream.iam.gserviceaccount.com
PROJECT_NUMBER is the number of your project with the Live Stream API enabled. This service account is granted the Live Stream Service Agent role and has permissions to do the following:
- Read files in your project's Cloud Storage buckets
- Upload files to your project's Cloud Storage buckets
- Delete files in your project's Cloud Storage buckets
- List files and their metadata in your project's Cloud Storage buckets
Limiting access
To limit this access to your Cloud Storage buckets, remove the Live Stream Service Agent role from the service account and replace it with more fine-grained access. Follow these steps:
- Go to the IAM page (Permissions tab) in the Google Cloud console.
- Find the service account with the Live Stream Service Agent role and select the edit button.
- Delete the Live Stream Service Agent role from the service account.
- Grant access to the service account for each individual Cloud Storage
bucket:
- Go to the Cloud Storage Browser page.
- Click a bucket.
- Select the Permissions tab.
- Click Add.
- In the New principals field, type the name of the service account.
- Under Role, select Storage Object Admin.
- Click Save. The Live Stream API now has access to the bucket.