Access control with IAM

This page describes how you can control Memorystore for Redis project access and permissions using Identity and Access Management (IAM).

Overview

Google Cloud offers IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Memorystore for Redis IAM roles and permissions. For a detailed description of roles and permissions, see the IAM documentation.

Memorystore for Redis provides a set of predefined roles designed to help you easily control access to your Redis resources. If the predefined roles do not provide the sets of permissions you need, you can also create your own custom roles. In addition, the older basic roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Memorystore for Redis roles. In particular, the basic roles provide access to resources across Google Cloud, rather than just for Memorystore for Redis. For more information about basic roles, see Basic roles.

Permissions and roles

This section summarizes the permissions and roles that Memorystore for Redis supports.

Predefined roles

Memorystore for Redis provides some predefined roles that you can use to provide finer-grained permissions to principals. The role you grant to a principal controls what actions the principal can take. Principals can be individuals, groups, or service accounts.

You can grant multiple roles to the same principal, and if you have the permissions to do so, you can change the roles granted to a principal at any time.

The broader roles include the more narrowly defined roles. For example, the Redis Editor role includes all of the permissions of the Redis Viewer role, along with the addition of permissions for the Redis Editor role. Likewise, the Redis Admin role includes all of the permissions of the Redis Editor role, along with its additional permissions.

The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Memorystore for Redis provide only Memorystore for Redis permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:

resourcemanager.projects.get
resourcemanager.projects.list

The following table lists the predefined roles available for Memorystore for Redis, along with their Memorystore for Redis permissions:

Role	Name	Redis permissions	Description
`roles/owner`	Owner	`redis.*`	Full access and control for all Google Cloud resources; manage user access
`roles/editor`	Editor	All `redis` permissions except for `*.getIamPolicy` & `.setIamPolicy`	Read-write access to all Google Cloud and Redis resources (full control except for the ability to modify permissions)
`roles/viewer`	Viewer	`redis..get redis..list`	Read-only access to all Google Cloud resources, including Redis resources
`roles/redis.admin`	Redis Admin	`redis.*`	Full control for all Memorystore for Redis resources.
`roles/redis.editor`	Redis Editor	All `redis` permissions except for `redis.instances.create redis.instances.delete redis.instances.upgrade redis.instances.import redis.instances.export redis.instances.updateAuth redis.instances.getAuthString redis.operations.delete`	Manage Memorystore for Redis instances. Can't create or delete instances.
`roles/redis.viewer`	Redis Viewer	All `redis` permissions except for `redis.instances.create redis.instances.delete redis.instances.update redis.instances.upgrade redis.instances.import redis.instances.export redis.instances.updateAuth redis.instances.getAuthString redis.operations.delete`	Read-only access to all Memorystore for Redis resources.

Permissions and their roles

The following table lists each permission that Memorystore for Redis supports and the Memorystore for Redis roles that include it:

Permission	Redis role	Basic role
`redis.instances.list`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.instances.get`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.instances.create`	Redis Admin	Writer
`redis.instances.update`	Redis Admin Redis Editor	Writer
`redis.instances.updateAuth`	Redis Admin	Writer
`redis.instances.getAuthString`	Redis Admin	Writer
`redis.instances.delete`	Redis Admin	Writer
`redis.instances.upgrade`	Redis Admin	Writer
`redis.instances.import`	Redis Admin	Writer
`redis.instances.export`	Redis Admin	Writer
`redis.locations.list`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.locations.get`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.operations.list`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.operations.get`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.operations.delete`	Redis Admin	Writer

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles. When you create custom roles for Memorystore for Redis, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list. Otherwise, the Google Cloud console will not function correctly for Memorystore for Redis. For more information, see Permission dependencies. To learn how to create a custom role, see Creating a custom role.

Required permissions for common tasks in the Google Cloud console

To enable a user to work with Memorystore for Redis using the Google Cloud console, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table provides the other permissions required for some common tasks in the Google Cloud console:

Task	Required additional permissions
Display the instance listing page	`redis.instances.get redis.instances.list`
Creating and editing an instance	`redis.instances.create redis.instances.get redis.instances.list compute.networks.list`
Deleting an instance	`redis.instances.delete redis.instances.get redis.instances.list`
Connecting to an instance from the Cloud Shell	`redis.instances.get redis.instances.list redis.instances.update`
Viewing instance information	`redis.instances.get monitoring.timeSeries.list`
Importing and exporting RDB backup files	`redis.instances.import redis.instances.export`
Upgrading the Redis version of an instance	`redis.instances.upgrade`

Required permissions for gcloud commands

To enable a user to work with Memorystore for Redis using gcloud commands, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table lists the permissions that the user invoking a gcloud command must have for each gcloud redis subcommand:

Command	Required permissions
`gcloud redis instances auth`	`redis.instances.updateAuth redis.instances.getAuthString`
`gcloud redis instances create`	`redis.instances.get redis.instances.create`
`gcloud redis instances delete`	`redis.instances.delete`
`gcloud redis instances update`	`redis.instances.get redis.instances.update`
`gcloud redis instances list`	`redis.instances.list`
`gcloud redis instances describe`	`redis.instances.get`
`gcloud redis instances import`	`redis.instances.import`
`gcloud redis instances export`	`redis.instances.export`
`gcloud redis instances upgrade`	`redis.instances.upgrade`
`gcloud redis operations list`	`redis.operations.list`
`gcloud redis operations describe`	`redis.operations.get`
`gcloud redis regions list`	`redis.locations.list`
`gcloud redis regions describe`	`redis.locations.get`
`gcloud redis zones list`	`redis.locations.list`

Required permissions for API methods

The following table lists the permissions that the caller must have to call each method in the Memorystore for Redis API or to perform tasks using Google Cloud tools that use the API (such as the Google Cloud console or the gcloudcommand line tool):

Method	Required permissions
`locations.get`	`redis.locations.get`
`locations.list`	`redis.locations.list`
`instances.create`	`redis.instances.create`
`instances.delete`	`redis.instances.delete`
`instances.get`	`redis.instances.get`
`instances.list`	`redis.instances.list`
`instances.patch`	`redis.instances.update`
`instances.import`	`redis.instances.import`
`instances.export`	`redis.instances.export`
`instances.upgrade`	`redis.instances.upgrade`
`operations.get`	`redis.operations.get`
`operations.list`	`redis.operations.list`

Redis AUTH permissions

The following table shows the minimum permissions a user needs to complete some basic Memorystore for Redis AUTH tasks.

Permissions needed	Create a Memorystore instance with Redis AUTH enabled	Enable / disable AUTH on an existing Redis instance	View the AUTH string	View whether AUTH is enabled / disabled for a Redis instance
`redis.instances.update`	✓	X	X	X
`redis.instances.update`	X	✓	X	X
`redis.instances.get`	X	X	X	✓
`redis.instances.updateAuth`	✓	✓	X	X
`redis.instances.getAuthString`	X	X	✓	X

In-transit encryption permissions

The table below shows permissions required for enabling and managing In-transit encryption for Memorystore for Redis.

Permissions needed	Create a Memorystore instance with in-transit encryption	Download the Certificate Authority
`redis.instances.create`	✓	X
`redis.instances.get`	X	✓

Maintenance policy permissions

The table below shows permissions required for managing the Maintenance policy for Memorystore for Redis.

Permissions needed	Create a Memorystore instance with a maintenance policy enabled	Create or modify maintenance policies on an existing Memorystore instance	Viewing the maintenance policy settings	Rescheduling maintenance
`redis.instances.create`	✓	X	X	X
`redis.instances.update`	X	✓	X	X
`redis.instances.get`	X	X	✓	X
`redis.instances.rescheduleMaintenance`	X	X	X	✓

Import and export permissions

Using custom roles for importing and exporting requires two separate custom roles. One custom role for the user, and an additional custom role for the Redis instance's service account. The custom role for the service account uses Cloud Storage bucket level permissions.

To find the service account for your instance, run the following command and make a note of the service account listed under persistenceIamIdentity:

gcloud redis instances describe [INSTANCE_ID] --region=[REGION]

Permissions for the service account

Note that you only need to grant storage permissions to the service account at the bucket-level, not the entire project. For instructions, see Adding a principal to a bucket-level policy.

Once you grant your service account bucket-level permissions, you can ignore the message that says "Memorystore is unable to verify if service account xxxx@xxxx.gserviceaccount.com has the permissions required to import/export. For help verifying or updating permissions, contact your project's administrator. For the required permissions, see import/export permissions documentation." If you apply the permissions listed below to custom roles for the user account and the service account, the import/export will succeed.

Permissions for custom role for service account	Import with gcloud	Export with gcloud	Import with Google Cloud console	Export with Google Cloud console
`storage.buckets.get`	✓	✓	✓	✓
`storage.objects.get`	✓	X	✓	X
`storage.objects.create`	X	✓	X	✓
`storage.objects.delete`	X	Optional. (Grants permission to overwrite existing RDB file).	X	Optional. (Grants permission to overwrite existing RDB file).

Permissions for the user account

Permissions for custom role for user account	Import with gcloud	Export with gcloud	Import with Google Cloud console	Export with Google Cloud console
`resourcemanager.projects.get`	X	X	✓	✓
`redis.instances.get`	✓	✓	✓	✓
`redis.instances.list`	X	X	X	X
`redis.instances.import`	✓	X	✓	X
`redis.instances.export`	X	✓	X	✓
`redis.operations.get`	X	✓	✓	✓
`redis.operations.list`	X	X	✓	✓
`redis.operations.cancel`	✓	✓	✓	✓
`storage.buckets.list`	X	X	✓	✓
`storage.buckets.get`	X	X	✓	✓
`storage.objects.list`	X	X	✓	✓
`storage.objects.get`	X	X	✓	✓

What's next

Learn how to grant and revoke access.
Learn more about IAM.
Learn more about custom roles.