Access control

This page describes how you can control Memorystore for Redis project access and permissions using Cloud Identity and Access Management (IAM).

Overview

Google Cloud offers Cloud IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Memorystore for Redis IAM roles and permissions. For a detailed description of roles and permissions, see the Cloud IAM documentation.

Memorystore for Redis provides a set of predefined roles designed to help you easily control access to your Redis resources. If the predefined roles do not provide the sets of permissions you need, you can also create your own custom roles. In addition, the legacy primitive roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Memorystore for Redis roles. In particular, the primitive roles provide access to resources across Google Cloud, rather than just for Memorystore for Redis. For more information about primitive roles, see Primitive roles.

Permissions and roles

This section summarizes the permissions and roles that Memorystore for Redis supports.

Predefined roles

Memorystore for Redis provides some predefined roles that you can use to provide finer-grained permissions to project members. The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts.

You can grant multiple roles to the same project member, and if you have the permissions to do so, you can change the roles granted to a project member at any time.

The broader roles include the more narrowly defined roles. For example, the Redis Editor role includes all of the permissions of the Redis Viewer role, along with the addition of permissions for the Redis Editor role. Likewise, the Redis Admin role includes all of the permissions of the Redis Editor role, along with its additional permissions.

The primitive roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Memorystore for Redis provide only Memorystore for Redis permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:

resourcemanager.projects.get
resourcemanager.projects.list

The following table lists the predefined roles available for Memorystore for Redis, along with their Memorystore for Redis permissions:

Role	Name	Redis permissions	Description
`roles/owner`	Owner	`redis.*`	Full access and control for all Google Cloud resources; manage user access
`roles/editor`	Editor	All `redis` permissions except for `*.getIamPolicy` & `.setIamPolicy`	Read-write access to all Google Cloud and Redis resources (full control except for the ability to modify permissions)
`roles/viewer`	Viewer	`redis..get redis..list`	Read-only access to all Google Cloud resources, including Redis resources
`roles/redis.admin`	Redis Admin	`redis.*`	Full control for all Memorystore for Redis resources.
`roles/redis.editor`	Redis Editor	All `redis` permissions except for `redis.instances.create redis.instances.delete redis.instances.upgrade redis.instances.import redis.instances.export redis.operations.delete`	Manage Memorystore for Redis instances. Can't create or delete instances.
`roles/redis.viewer`	Redis Viewer	All `redis` permissions except for `redis.instances.create redis.instances.delete redis.instances.update redis.instances.upgrade redis.instances.import redis.instances.export redis.operations.delete`	Read-only access to all Memorystore for Redis resources.

Permissions and their roles

The following table lists each permission that Memorystore for Redis supports and the Memorystore for Redis roles that include it:

Permission	Redis role	Legacy role
`redis.instances.list`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.instances.get`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.instances.create`	Redis Admin	Writer
`redis.instances.update`	Redis Admin Redis Editor	Writer
`redis.instances.delete`	Redis Admin	Writer
`redis.instances.upgrade`	Redis Admin	Writer
`redis.instances.import`	Redis Admin	Writer
`redis.instances.export`	Redis Admin	Writer
`redis.locations.list`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.locations.get`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.operations.list`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.operations.get`	Redis Admin Redis Editor Redis Viewer	Reader
`redis.operations.delete`	Redis Admin	Writer

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles. When you create custom roles for Memorystore for Redis, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list. Otherwise, the Google Cloud Console will not function correctly for Memorystore for Redis. For more information, see Permission dependencies.

Required permissions for common tasks in the Cloud Console

To enable a user to work with Memorystore for Redis using the Cloud Console, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table provides the other permissions required for some common tasks in the Cloud Console:

Task	Required additional permissions
Display the instance listing page	`redis.instances.get redis.instances.list`
Creating and editing an instance	`redis.instances.create redis.instances.get redis.instances.list compute.networks.list`
Deleting an instance	`redis.instances.delete redis.instances.get redis.instances.list`
Connecting to an instance from the Cloud Shell	`redis.instances.get redis.instances.list redis.instances.update`
Viewing instance information	`redis.instances.get monitoring.timeSeries.list`
Importing and exporting RDB backup files	`redis.instances.import redis.instances.export`
Upgrading the Redis version of an instance	`redis.instances.upgrade`

Required permissions for gcloud commands

To enable a user to work with Memorystore for Redis using gcloud commands, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table lists the permissions that the user invoking a gcloud command must have for each gcloud redis subcommand:

Command	Required permissions
`gcloud redis instances create`	`redis.instances.get redis.instances.create`
`gcloud redis instances delete`	`redis.instances.delete`
`gcloud redis instances update`	`redis.instances.get redis.instances.update`
`gcloud redis instances list`	`redis.instances.list`
`gcloud redis instances describe`	`redis.instances.get`
`gcloud redis instances import`	`redis.instances.import`
`gcloud redis instances export`	`redis.instances.export`
`gcloud redis instances upgrade`	`redis.instances.upgrade`
`gcloud redis operations list`	`redis.operations.list`
`gcloud redis operations describe`	`redis.operations.get`
`gcloud redis regions list`	`redis.locations.list`
`gcloud redis regions describe`	`redis.locations.get`
`gcloud redis zones list`	`redis.locations.list`

Required permissions for API methods

The following table lists the permissions that the caller must have to call each method in the Memorystore for Redis API or to perform tasks using Google Cloud tools that use the API (such as the Cloud Console or the gcloudcommand line tool):

Method	Required permissions
`locations.get`	`redis.locations.get`
`locations.list`	`redis.locations.list`
`instances.create`	`redis.instances.create`
`instances.delete`	`redis.instances.delete`
`instances.get`	`redis.instances.get`
`instances.list`	`redis.instances.list`
`instances.patch`	`redis.instances.update`
`instances.import`	`redis.instances.import`
`instances.export`	`redis.instances.export`
`instances.upgrade`	`redis.instances.upgrade`
`operations.get`	`redis.operations.get`
`operations.list`	`redis.operations.list`

What's next

Learn how to grant and revoke access to project members.
Learn more about IAM.
Learn more about custom roles.