Access control and permissions

This page describes how you can control project access and permissions for Memorystore for Memcached using Identity and Access Management (IAM).

Overview

IAM lets you control access to specific Google Cloud resources at a granular level, and also prevents unwanted access to those resources. For a detailed description of roles and permissions, see the IAM documentation.

Memorystore for Memcached provides a set of predefined roles designed to help you easily control access to your Memcached resources. If the predefined roles do not provide the sets of permissions you need, you can also create custom roles. In addition, the older basic roles (Editor, Viewer, and Owner) are still available to you, although they do not provide the same fine-grained control as the Memorystore for Memcached roles. Specifically, the basic roles provide access to resources across Google Cloud, rather than just for Memorystore for Memcached. For more information about basic roles, see Basic roles.

Permissions and roles

This section summarizes the permissions and roles that Memorystore for Memcached supports.

Predefined roles

Memorystore for Memcached provides predefined roles that you can use to provide finer-grained permissions to project members. The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts.

Project owners can grant multiple roles to the same project member, and can change the roles at any time.

The broader roles are more narrowly defined. For example, the Memcached Editor role includes all of the permissions of the Memcached Viewer role, along with the addition of permissions for the Memcached Editor role. Likewise, the Memcached Admin role includes all of the permissions of the Memcached Editor role, along with its additional permissions.

The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Memorystore for Memcached provide only Memorystore for Memcached permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:

resourcemanager.projects.get
resourcemanager.projects.list

The following table lists the predefined roles available for Memorystore for Memcached, along with their Memorystore for Memcached permissions:

Role Name Memcached permissions Description

roles/owner

Owner

memcache.*

Full access and control for all Google Cloud resources; manage user access

roles/editor

Editor All memcache permissions except for *.getIamPolicy & .setIamPolicy Read-write access to all Google Cloud and Memcached resources (full control except for the ability to modify permissions)

roles/viewer

Viewer

memcache.*.get memcache.*.list

Read-only access to all Google Cloud resources, including Memcached resources

roles/memcache.admin

Memcached Admin

memcache.*

Full control for all Memorystore for Memcached resources.

roles/memcache.editor

Memcached Editor All memcache permissions except for

memcache.instances.create memcache.instances.delete

Manage Memorystore for Memcached instances. Can't create or delete instances.

roles/memcache.viewer

Memcached Viewer All memcache permissions except for

memcache.instances.create memcache.instances.delete memcache.instances.update memcache.operations.delete memcache.instances.applyParameters memcache.instances.updateParameters

Read-only access to all Memorystore for Memcached resources.

Permissions and their roles

The following table lists the permissions that Memorystore for Memcached supports, and the Memorystore for Memcached roles that include it:

Permission Memcached role Basic role

memcache.instances.list

Memcached Admin
Memcached Editor
Memcached Viewer
Reader

memcache.instances.get

Memcached Admin
Memcached Editor
Memcached Viewer
Reader

memcache.instances.create

Memcached Admin Writer

memcache.instances.update

Memcached Admin
Memcached Editor
Writer

memcache.instances.delete

Memcached Admin Writer

memcache.instances.applyParameters

Memcached Admin
Memcached Editor
Writer

memcache.instances.updateParameters

Memcached Admin
Memcached Editor
Writer

memcache.locations.list

Memcached Admin
Memcached Editor
Memcached Viewer
Reader

memcache.locations.get

Memcached Admin
Memcached Editor
Memcached Viewer
Reader

memcache.operations.list

Memcached Admin
Memcached Editor
Memcached Viewer
Reader

memcache.operations.get

Memcached Admin
Memcached Editor
Memcached Viewer
Reader

memcache.operations.delete

Memcached Admin
Memcached Editor
Writer

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. When you create custom roles for Memorystore for Memcached, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list. For more information, see Permission dependencies.

Required permissions for common tasks in the Cloud Console

To enable a user to work with Memorystore for Memcached using the Cloud Console, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table provides the other permissions required for some common tasks in the Cloud Console:

Task Required additional permissions
Display the instance listing page

memcache.instances.get
memcache.instances.list

Creating and editing an instance

memcache.instances.create
memcache.instances.get
memcache.instances.list
memcache.instances.update
memcache.instances.applyParameters
memcache.instances.updateParameters
compute.networks.list

Deleting an instance

memcache.instances.delete
memcache.instances.get
memcache.instances.list

Connecting to an instance from the Cloud Shell

memcache.instances.get
memcache.instances.list
memcache.instances.update

Viewing instance information

memcache.instances.get
monitoring.timeSeries.list

Required permissions for gcloud commands

To enable a user to work with Memorystore for Memcached using gcloud commands, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table lists the permissions that the user invoking a gcloud command must have for each gcloud beta memcache subcommand:

Command Required permissions
gcloud beta memcache instances create

memcache.instances.get
memcache.instances.create

gcloud beta memcache instances delete

memcache.instances.delete

gcloud beta memcache instances update

memcache.instances.get
memcache.instances.update
memcache.instances.updateParameters

gcloud beta memcache instances list

memcache.instances.list

gcloud beta memcache instances describe

memcache.instances.get

gcloud beta memcache instances apply-parameters

memcache.instances.applyParameters

gcloud beta memcache operations list

memcache.operations.list

gcloud beta memcache operations describe

memcache.operations.get

gcloud beta memcache regions list

memcache.locations.list

gcloud beta memcache regions describe

memcache.locations.get

gcloud beta memcache zones list

memcache.locations.list

Required permissions for API methods

The following table lists the permissions that the user must have to call each method in the Memorystore for Memcached API or to perform tasks using Google Cloud tools that use the API (such as the Cloud Console or the gcloudcommand line tool):

Method Required permissions

locations.get

memcache.locations.get

locations.list

memcache.locations.list

instances.create

memcache.instances.create

instances.delete

memcache.instances.delete

instances.get

memcache.instances.get

instances.list

memcache.instances.list

instances.patch

memcache.instances.update

instances.updateParameters

memcache.instances.updateParameters

instances.applyParameters

memcache.instances.applyParameters

operations.get

memcache.operations.get

operations.list

memcache.operations.list

What's next