Access control with IAM

This page explains the Identity and Access Management roles available for Memorystore for Redis Cluster, and the associated permissions for those roles. Memorystore for Redis Cluster and Memorystore for Redis use the same IAM roles. The permissions these roles grant for Memorystore for Redis Cluster are listed on this page. The permissions these roles grant for Memorystore for Redis are listed on the Memorystore for Redis Access control page. Although the permissions are listed separately on both pages, the roles grant permissions for both Memorystore for Redis Cluster and Memorystore for Redis.

Memorystore for Redis Cluster uses a different permissions naming structure than Memorystore for Redis:

  • Memorystore for Redis Cluster instances use redis.clusters.[PERMISSION].
  • Memorystore for Redis instances use redis.instances.[PERMISSION].

To view more information about the Redis Admin role, see Predefined roles.

To learn how to grant the role to a user in your project, see Grant or revoke a single role.

Predefined roles

The following predefined roles are available for Memorystore for Redis Cluster. If you update a role for an Identity and Access Management principal, the change takes several minutes to take effect.

Role Name Redis permissions Description

roles/owner

Owner

redis.*

Full access and control for all Google Cloud resources; manage user access

roles/editor

Editor All redis permissions except for *.getIamPolicy & .setIamPolicy Read-write access to all Google Cloud and Redis resources (full control except for the ability to modify permissions)

roles/viewer

Viewer

redis.*.get redis.*.list

Read-only access to all Google Cloud resources, including Redis resources

roles/redis.admin

Redis Admin

redis.*

Full control for all Memorystore for Redis Cluster resources.

roles/redis.editor

Redis Editor All redis permissions except for

redis.clusters.create redis.clusters.delete redis.clusters.connect

Manage Memorystore for Redis Cluster instances. Can't create or delete instances.

roles/redis.viewer

Redis Viewer All redis permissions except for

redis.clusters.create redis.clusters.delete redis.clusters.update redis.clusters.connect redis.operations.delete

Read-only access to all Memorystore for Redis Cluster resources.

roles/redis.dbConnectionUser

Redis Database Connection User

redis.clusters.connect

 A role that you can assign to users who need to authenticate with IAM Auth

Permissions and their roles

The following table lists each permission that Memorystore for Redis Cluster supports and the Memorystore for Redis roles that include it:

Permission Redis role Basic role

redis.clusters.list

Redis Admin
Redis Editor
Redis Viewer		 Viewer

redis.clusters.get

Redis Admin
Redis Editor
Redis Viewer		 Viewer

redis.clusters.create

Redis Admin Owner

redis.clusters.update

Redis Admin
Redis Editor		 Editor

redis.clusters.connect

Redis Admin
Redis Database Connection User		 Owner

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles. When you create custom roles for Memorystore for Redis Cluster, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list. Otherwise, the Google Cloud console will not function correctly for Memorystore for Redis Cluster. For more information, see Permission dependencies. To learn how to create a custom role, see Creating a custom role.

In-transit encryption permissions

The table below shows permissions required for enabling and managing In-transit encryption for Memorystore for Redis Cluster.

Permissions needed Create a Memorystore instance with in-transit encryption Download the Certificate Authority
redis.clusters.create X
redis.clusters.get X

Network connectivity policy creation role

The permissions described in this section are needed for the Network Admin who is establishing a service connection policy for Memorystore for Redis Cluster, as described in the Networking page.

To establish the policy required for Memorystore cluster creation, the Network Admin must have the networkconnectivity.googleapis.com/consumerNetworkAdmin role, which grants the following permissions:

  • networkconnectivity.serviceconnectionpolicies.create
  • networkconnectivity.serviceconnectionpolicies.list
  • networkconnectivity.serviceconnectionpolicies.get
  • networkconnectivity.serviceconnectionpolicies.delete
  • networkconnectivity.serviceconnectionpolicies.update