Access control with IAM

Overview

Live Stream API uses Identity and Access Management (IAM) for access control.

You can configure access control for the Live Stream API at the project level. For example, you can grant access for developers to list and get all events within a project.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.

Every Live Stream API method requires the caller to have the necessary permissions. For more information, see Permissions and Roles.

Permissions

This section summarizes the Live Stream API permissions that IAM supports.

Required permissions

The following tables list the IAM permissions that are associated with Live Stream API.

Channels method name Required permissions
channels.create livestream.channels.create on the parent location, which is a specific Google Cloud project and data location combination.
channels.delete livestream.channels.delete on the channel resource.
channels.get livestream.channels.get on the channel resource.
channels.list livestream.channels.list on the parent location, which is a specific Google Cloud project and data location combination.
channels.patch livestream.channels.update on the channel resource.
channels.start livestream.channels.start on the channel resource.
channels.stop livestream.channels.stop on the channel resource.
Events method name Required permissions
events.create livestream.events.create on the parent channel for the resource.
events.delete livestream.events.delete on the event resource.
events.get livestream.events.get on the event resource.
events.list livestream.events.list on the parent channel for the resource.
Inputs method name Required permissions
inputs.create livestream.inputs.create on the parent location, which is a specific Google Cloud project and data location combination.
inputs.delete livestream.inputs.delete on the input resource.
inputs.get livestream.inputs.get on the input resource.
inputs.list livestream.inputs.list on the parent location, which is a specific Google Cloud project and data location combination.
inputs.patch livestream.inputs.update on the input resource.

Roles

The following table lists the Live Stream API IAM roles, including the permissions associated with each role:

Live Stream API role Permissions
roles/livestream.viewer
  • livestream.channels.list
  • livestream.channels.get
  • livestream.events.list
  • livestream.events.get
  • livestream.inputs.list
  • livestream.inputs.get
roles/livestream.editor All roles/livestream.viewer permissions, and:
  • livestream.channels.create
  • livestream.channels.delete
  • livestream.channels.update
  • livestream.channels.start
  • livestream.channels.stop
  • livestream.events.create
  • livestream.events.delete
  • livestream.inputs.create
  • livestream.inputs.delete
  • livestream.inputs.update

For more information about roles, see Understanding roles.

Access to Cloud Storage

By default, the Live Stream API has access to all of your project's Cloud Storage buckets. When you create your first live streaming event, the Live Stream API creates a service account using the following naming convention:

service-PROJECT_NUMBER@gcp-sa-livestream.iam.gserviceaccount.com

PROJECT_NUMBER is the number of your project with the Live Stream API enabled. This service account is granted the Live Stream Service Agent role and has permissions to do the following:

  • Read files in your project's Cloud Storage buckets
  • Upload files to your project's Cloud Storage buckets
  • Delete files in your project's Cloud Storage buckets
  • List files and their metadata in your project's Cloud Storage buckets

Limiting access

To limit this access to your Cloud Storage buckets, remove the Live Stream Service Agent role from the service account and replace it with more fine-grained access. Follow these steps:

  1. Go to the IAM page (Permissions tab) in the Google Cloud console.
  2. Find the service account with the Live Stream Service Agent role and select the edit button.
  3. Delete the Live Stream Service Agent role from the service account.
  4. Grant access to the service account for each individual Cloud Storage bucket:
    1. Go to the Cloud Storage Browser page.
    2. Click a bucket.
    3. Select the Permissions tab.
    4. Click Add.
    5. In the New principals box, type the name of the service account.
    6. Under Role, select Storage Object Admin.
    7. Click Save. The Live Stream API now has access to the bucket.