This page describes how you can control Memorystore for Redis project access and permissions using Identity and Access Management (IAM).
Overview
Google Cloud offers IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Memorystore for Redis IAM roles and permissions. For a detailed description of roles and permissions, see the IAM documentation.
Memorystore for Redis provides a set of predefined roles designed to help you easily control access to your Redis resources. If the predefined roles do not provide the sets of permissions you need, you can also create your own custom roles. In addition, the older basic roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Memorystore for Redis roles. In particular, the basic roles provide access to resources across Google Cloud, rather than just for Memorystore for Redis. For more information about basic roles, see Basic roles.
Permissions and roles
This section summarizes the permissions and roles that Memorystore for Redis supports.
Predefined roles
Memorystore for Redis provides some predefined roles that you can use to provide finer-grained permissions to principals. The role you grant to a principal controls what actions the principal can take. Principals can be individuals, groups, or service accounts.
You can grant multiple roles to the same principal, and if you have the permissions to do so, you can change the roles granted to a principal at any time.
The broader roles include the more narrowly defined roles. For example, the Redis Editor role includes all of the permissions of the Redis Viewer role, along with the addition of permissions for the Redis Editor role. Likewise, the Redis Admin role includes all of the permissions of the Redis Editor role, along with its additional permissions.
The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Memorystore for Redis provide only Memorystore for Redis permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:
resourcemanager.projects.get
resourcemanager.projects.list
The following table lists the predefined roles available for Memorystore for Redis, along with their Memorystore for Redis permissions:
| Role | Name | Redis permissions | Description |
|---|---|---|---|
|
Owner |
|
Full access and control for all Google Cloud resources; manage user access |
|
Editor | All redis permissions except for *.getIamPolicy &
.setIamPolicy |
Read-write access to all Google Cloud and Redis resources (full control except for the ability to modify permissions) |
|
Viewer |
|
Read-only access to all Google Cloud resources, including Redis resources |
|
Redis Admin |
|
Full control for all Memorystore for Redis resources. |
|
Redis Editor | All redis permissions except for
|
Manage Memorystore for Redis instances. Can't create or delete instances. |
|
Redis Viewer | All redis permissions except for
|
Read-only access to all Memorystore for Redis resources. |
Permissions and their roles
The following table lists each permission that Memorystore for Redis supports and the Memorystore for Redis roles that include it:
| Permission | Redis role | Basic role |
|---|---|---|
|
Redis Admin Redis Editor Redis Viewer |
Reader |
|
Redis Admin Redis Editor Redis Viewer |
Reader |
|
Redis Admin | Writer |
|
Redis Admin Redis Editor |
Writer |
|
Redis Admin | Writer |
|
Redis Admin | Writer |
|
Redis Admin | Writer |
|
Redis Admin | Writer |
|
Redis Admin | Writer |
|
Redis Admin | Writer |
|
Redis Admin Redis Editor Redis Viewer |
Reader |
|
Redis Admin Redis Editor Redis Viewer |
Reader |
|
Redis Admin Redis Editor Redis Viewer |
Reader |
|
Redis Admin Redis Editor Redis Viewer |
Reader |
|
Redis Admin | Writer |
Custom roles
If the predefined roles do not address your unique business requirements, you
can define your own custom roles with permissions that you specify. To support
this, IAM offers custom roles. When you create custom roles
for Memorystore for Redis, make sure that you include
both resourcemanager.projects.get and resourcemanager.projects.list.
Otherwise, the Google Cloud console will not function correctly
for Memorystore for Redis. For more information, see
Permission dependencies.
To learn how to create a custom role, see Creating a custom role.
Required permissions for common tasks in the Google Cloud console
To enable a user to work with Memorystore for Redis using
the Google Cloud console, the user's role must include the
resourcemanager.projects.get and the resourcemanager.projects.list
permission.
The following table provides the other permissions required for some common tasks in the Google Cloud console:
| Task | Required additional permissions |
|---|---|
| Display the instance listing page |
|
| Creating and editing an instance |
|
| Deleting an instance |
|
| Connecting to an instance from the Cloud Shell |
|
| Viewing instance information |
|
| Importing and exporting RDB backup files |
|
| Upgrading the Redis version of an instance |
|
Required permissions for gcloud commands
To enable a user to work with Memorystore for Redis using gcloud commands,
the user's role must include the resourcemanager.projects.get and the
resourcemanager.projects.list permission.
The following table lists the permissions that the user invoking a gcloud
command must have for each gcloud redis subcommand:
| Command | Required permissions |
|---|---|
gcloud redis instances auth |
|
gcloud redis instances create |
|
gcloud redis instances delete |
|
gcloud redis instances update |
|
gcloud redis instances list |
|
gcloud redis instances describe |
|
gcloud redis instances import |
|
gcloud redis instances export |
|
gcloud redis instances upgrade |
|
gcloud redis operations list |
|
gcloud redis operations describe |
|
gcloud redis regions list |
|
gcloud redis regions describe |
|
gcloud redis zones list |
|
Required permissions for API methods
The following table lists the permissions that the caller must have to call each
method in the Memorystore for Redis API or to perform tasks
using Google Cloud tools that use the API
(such as the Google Cloud console or the gcloudcommand line tool):
| Method | Required permissions |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Memorystore for Redis service account
Each Memorystore for Redis instance has a service account that it uses to communicate with other Google Cloud resources.
Sometimes (like when exporting, or using CMEK) you must grant specific roles or permissions to the service account.
Memorystore for Redis service account format
Your instance's service account uses one of two different formats, depending on when it was created.
The first format is:
[PROJECT_NUMBER]-compute@developer.gserviceaccount.comThe second format is:
service-[PROJECT_NUMBER]@cloud-redis.iam.gserviceaccount.com
To see the source of truth on which service account your instance uses, see View your instance's service account.
Known issues
Sometimes a service account using the [PROJECT_NUMBER]-compute@developer.gserviceaccount.com
format can conflict with your organization policy. For more information, and
steps to resolve this issues, see Issues with the domain restricted sharing organization policy.
View your instance's service account:
To view the service account for your instance, run the following
command and make a note of the service account listed under
persistenceIamIdentity:
gcloud redis instances describe [INSTANCE_ID] --region=[REGION]
Redis AUTH permissions
The following table shows the minimum permissions a user needs to complete some basic Memorystore for Redis AUTH tasks.
| Permissions needed | Create a Memorystore instance with Redis AUTH enabled | Enable / disable AUTH on an existing Redis instance | View the AUTH string | View whether AUTH is enabled / disabled for a Redis instance |
|---|---|---|---|---|
redis.instances.create
|
✓ | X | X | X |
redis.instances.update
|
X | ✓ | X | X |
redis.instances.get
|
X | X | X | ✓ |
redis.instances.updateAuth
|
✓ | ✓ | X | X |
redis.instances.getAuthString
|
X | X | ✓ | X |
In-transit encryption permissions
The table below shows permissions required for enabling and managing In-transit encryption for Memorystore for Redis.
| Permissions needed | Create a Memorystore instance with in-transit encryption | Download the Certificate Authority |
|---|---|---|
redis.instances.create
|
✓ | X |
redis.instances.get
|
X | ✓ |
Maintenance policy permissions
The table below shows permissions required for managing the Maintenance policy for Memorystore for Redis.
| Permissions needed | Create a Memorystore instance with a maintenance policy enabled | Create or modify maintenance policies on an existing Memorystore instance | Viewing the maintenance policy settings | Rescheduling maintenance |
|---|---|---|---|---|
redis.instances.create
|
✓ | X | X | X |
redis.instances.update
|
X | ✓ | X | X |
redis.instances.get
|
X | X | ✓ | X |
redis.instances.rescheduleMaintenance
|
X | X | X | ✓ |
Required permissions for import and export
Using custom roles for importing and exporting requires two separate custom roles. One custom role for the user, and an additional custom role for the Redis instance's service account. The custom role for the service account uses Cloud Storage bucket level permissions.
To find the service account for your instance, see View your instance's service account
Permissions for the service account
Note that you only need to grant storage permissions to the service account at the bucket-level, not the entire project. For instructions, see Adding a principal to a bucket-level policy.
Once you grant your service account bucket-level permissions, you can ignore the message that says "Memorystore is unable to verify if service account xxxx@xxxx.gserviceaccount.com has the permissions required to import/export. For help verifying or updating permissions, contact your project's administrator. For the required permissions, see import/export permissions documentation." If you apply the permissions listed below to custom roles for the user account and the service account, the import/export will succeed.
| Permissions for custom role for service account | Import with gcloud | Export with gcloud | Import with Google Cloud console | Export with Google Cloud console |
|---|---|---|---|---|
storage.buckets.get |
✓ | ✓ | ✓ | ✓ |
storage.objects.get |
✓ | X | ✓ | X |
storage.objects.create |
X | ✓ | X | ✓ |
storage.objects.delete |
X | Optional. (Grants permission to overwrite existing RDB file). |
X | Optional. (Grants permission to overwrite existing RDB file). |
Permissions for the user account
| Permissions for custom role for user account | Import with gcloud | Export with gcloud | Import with Google Cloud console | Export with Google Cloud console |
|---|---|---|---|---|
resourcemanager.projects.get |
X | X | ✓ | ✓ |
redis.instances.get |
✓ | ✓ | ✓ | ✓ |
redis.instances.list |
X | X | X | X |
redis.instances.import |
✓ | X | ✓ | X |
redis.instances.export |
X | ✓ | X | ✓ |
redis.operations.get |
X | ✓ | ✓ | ✓ |
redis.operations.list |
X | X | ✓ | ✓ |
redis.operations.cancel |
✓ | ✓ | ✓ | ✓ |
storage.buckets.list |
X | X | ✓ | ✓ |
storage.buckets.get |
X | X | ✓ | ✓ |
storage.objects.list |
X | X | ✓ | ✓ |
storage.objects.get |
X | X | ✓ | ✓ |
What's next
- Learn how to grant and revoke access.
- Learn more about IAM.
- Learn more about custom roles.