This page describes how you can control project access and permissions for Memorystore for Memcached using Identity and Access Management (IAM).
Overview
IAM lets you control access to specific Google Cloud resources at a granular level, and also prevents unwanted access to those resources. For a detailed description of roles and permissions, see the IAM documentation.
Memorystore for Memcached provides a set of predefined roles designed to help you easily control access to your Memcached resources. If the predefined roles do not provide the sets of permissions you need, you can also create custom roles. In addition, the older basic roles (Editor, Viewer, and Owner) are still available to you, although they do not provide the same fine-grained control as the Memorystore for Memcached roles. Specifically, the basic roles provide access to resources across Google Cloud, rather than just for Memorystore for Memcached. For more information about basic roles, see Basic roles.
Permissions and roles
This section summarizes the permissions and roles that Memorystore for Memcached supports.
Predefined roles
Memorystore for Memcached provides predefined roles that you can use to provide finer-grained permissions to principals. The role you grant to a principal controls what actions the principal can take. Principals can be individuals, groups, or service accounts.
You can grant multiple roles to the same principal, and can change the roles at any time.
The broader roles are more narrowly defined. For example, the Memcached Editor role includes all of the permissions of the Memcached Viewer role, along with the addition of permissions for the Memcached Editor role. Likewise, the Memcached Admin role includes all of the permissions of the Memcached Editor role, along with its additional permissions.
The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Memorystore for Memcached provide only Memorystore for Memcached permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:
resourcemanager.projects.get
resourcemanager.projects.list
The following table lists the predefined roles available for Memorystore for Memcached, along with their Memorystore for Memcached permissions:
| Role | Name | Memcached permissions | Description |
|---|---|---|---|
|
Owner |
|
Full access and control for all Google Cloud resources; manage user access |
|
Editor | All memcache permissions except for *.getIamPolicy &
.setIamPolicy |
Read-write access to all Google Cloud and Memcached resources (full control except for the ability to modify permissions) |
|
Viewer |
|
Read-only access to all Google Cloud resources, including Memcached resources |
|
Memcached Admin |
|
Full control for all Memorystore for Memcached resources. |
|
Memcached Editor | All memcache permissions except for
|
Manage Memorystore for Memcached instances. Can't create or delete instances. |
|
Memcached Viewer | All memcache permissions except for
|
Read-only access to all Memorystore for Memcached resources. |
Permissions and their roles
The following table lists the permissions that Memorystore for Memcached supports, and the Memorystore for Memcached roles that include it:
| Permission | Memcached role | Basic role |
|---|---|---|
|
Memcached Admin Memcached Editor Memcached Viewer |
Reader |
|
Memcached Admin Memcached Editor Memcached Viewer |
Reader |
|
Memcached Admin | Writer |
|
Memcached Admin Memcached Editor |
Writer |
|
Memcached Admin | Writer |
|
|
Memcached Admin Memcached Editor |
Writer |
|
|
Memcached Admin Memcached Editor |
Writer |
|
|
Memcached Admin Memcached Editor |
Writer |
|
|
Memcached Admin | Writer |
|
Memcached Admin Memcached Editor Memcached Viewer |
Reader |
|
Memcached Admin Memcached Editor Memcached Viewer |
Reader |
|
Memcached Admin Memcached Editor Memcached Viewer |
Reader |
|
Memcached Admin Memcached Editor Memcached Viewer |
Reader |
|
Memcached Admin Memcached Editor |
Writer |
Custom roles
If the predefined roles do not address your unique business requirements, you
can define your own custom roles
with permissions that you specify. When you create custom roles for
Memorystore for Memcached, make sure that you include both
resourcemanager.projects.get and resourcemanager.projects.list.
For more information, see Permission dependencies.
Required permissions for common tasks in the Google Cloud console
To enable a user to work with Memorystore for Memcached using
the Google Cloud console, the user's role must include the
resourcemanager.projects.get and the resourcemanager.projects.list
permission.
The following table provides the other permissions required for some common tasks in the Google Cloud console:
| Task | Required additional permissions |
|---|---|
| Display the instance listing page |
|
| Creating and editing an instance |
|
| Deleting an instance |
|
| Connecting to an instance from the Cloud Shell |
|
| Upgrading the Memcached version of an instance |
|
| Viewing instance information |
|
Required permissions for gcloud commands
To enable a user to work with Memorystore for Memcached using gcloud commands,
the user's role must include the resourcemanager.projects.get and the
resourcemanager.projects.list permission.
The following table lists the permissions that the user invoking a gcloud
command must have for each gcloud memcache subcommand:
| Command | Required permissions |
|---|---|
gcloud memcache instances create |
|
gcloud memcache instances delete |
|
gcloud memcache instances update |
|
gcloud memcache instances upgrade |
|
gcloud memcache instances list |
|
gcloud memcache instances describe |
|
gcloud memcache instances apply-parameters |
|
gcloud beta memcache instances apply-software-update |
|
gcloud memcache operations list |
|
gcloud memcache operations describe |
|
gcloud memcache regions list |
|
gcloud memcache regions describe |
|
gcloud memcache zones list |
|
Required permissions for API methods
The following table lists the permissions that the user must have to call each
method in the Memorystore for Memcached API or to perform tasks using
Google Cloud tools that use the API (such as the Google Cloud console
or the gcloudcommand line tool):
| Method | Required permissions |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maintenance policy permissions
The table below shows permissions required for managing the Maintenance policy for Memorystore for Memcached.
| Permissions needed | Create a Memorystore instance with a maintenance policy enabled | Create or modify maintenance policies on an existing Memorystore instance | Viewing the maintenance policy settings | Rescheduling maintenance |
|---|---|---|---|---|
memcache.instances.create
|
✓ | X | X | X |
memcache.instances.update
|
X | ✓ | X | X |
memcache.instances.get
|
X | X | ✓ | X |
memcache.instances.rescheduleMaintenance
|
X | X | X | ✓ |
What's next
- Monitor your Memcached instances.
- View audit logs for your Memcached instance.