Granting restricted permissions for import and export

This page documents the IAM permissions of least privilege you must apply to a user account so that they can import or export RDB backups. You should use these permissions of least privilege in scenarios when you do not want to grant broad IAM roles, and their associated permissions, to a user account.

If you want simple permissions that enable both import and export, apply the Cloud Memorystore Redis Admin role and Storage Admin role to the account of the user who needs to import or export.

Minimum required permissions to import and export

Listed below are the permissions that you must add to a custom role given to a user account for importing and exporting with minimal privilege. To learn how to create a custom role, see Creating a custom role.

Also you need to create an additional custom role for your instance's service account and apply it to the bucket-level permissions for your Cloud Storage bucket.

To find the service account for your instance, run the following command and make a note of the service account listed under persistenceIamIdentity:

gcloud redis instances describe [INSTANCE_ID] --region=[REGION]

The service account will follow the format, "".

Permissions for the service account

Note that you only need to grant storage permissions to the service account at the bucket-level, not the entire project. For instructions, see Adding a member to a bucket-level policy.

Once you grant your service account bucket-level permissions, you can ignore the message that says "Memorystore is unable to verify if service account has the permissions required to import/export. For help verifying or updating permissions, contact your project's administrator. For the required permissions, see import/export permissions documentation." If you apply the permissions listed below to custom roles for the user account and the service account, the import/export will succeed.

Permissions for custom role for service account Import with gcloud Export with gcloud Import with Cloud Console Export with Cloud Console
storage.objects.get X X
storage.objects.create X X
storage.objects.delete X Optional.
(Grants permission to overwrite existing RDB file).
X Optional.
(Grants permission to overwrite existing RDB file).

Permissions for the user account

Permissions for custom role for user account Import with gcloud Export with gcloud Import with Cloud Console Export with Cloud Console
resourcemanager.projects.get X X
redis.instances.list X X X X
redis.instances.import X X
redis.instances.export X X
redis.operations.get X X
redis.operations.list X X
storage.buckets.list X X
storage.buckets.get X X
storage.objects.list X X
storage.objects.get X X

What's next