Granting restricted permissions for import and export

This page documents the Cloud IAM permissions of least privilege you must apply to a user account so that they can import or export RDB backups. You should use these permissions of least privilege in scenarios when you do not want to grant broad Cloud IAM roles, and their associated permissions, to a user account.

If you want simple permissions that enable both import and export, apply the Cloud Memorystore Redis Admin role and Storage Admin role to the account of the user who needs to import or export.

Minimum required permissions to import and export

Listed below are the permissions that you must add to a custom role given to a user account for importing and exporting with minimal privilege. To learn how to create a custom role, see Creating a custom role.

Also you need to create an additional custom role for your instance's service account and apply it to the bucket-level permissions for your Cloud Storage bucket.

To find the service account for your instance, run the following command and make a note of the service account listed under persistenceIamIdentity:

gcloud redis instances describe [INSTANCE_ID] --region=[REGION]

The service account will follow the format, "xxxxxxxxxxxx-compute@developer.gserviceaccount.com".

Permissions for the service account

Note that you only need to grant storage permissions to the service account at the bucket-level, not the entire project. For instructions, see Adding a member to a bucket-level policy.

Once you grant your service account bucket-level permissions, you can ignore the message that says "Memorystore is unable to verify if service account xxxxxxxxxxxx-compute@developer.gserviceaccount.com has the permissions required to import/export. For help verifying or updating permissions, contact your project's administrator. For the required permissions, see import/export permissions documentation." If you apply the permissions listed below to custom roles for the user account and the service account, the import/export will succeed.

Permissions for custom role for service account Import with gcloud Export with gcloud Import with GCP Console Export with GCP Console
storage.buckets.get
storage.objects.get X X
storage.objects.create X X
storage.objects.delete X Optional.
(Grants permission to overwrite existing RDB file).
X Optional.
(Grants permission to overwrite existing RDB file).

Permissions for the user account

Permissions for custom role for user account Import with gcloud Export with gcloud Import with GCP Console Export with GCP Console
resourcemanager.projects.get X X
redis.instances.get
redis.instances.list X X X X
redis.instances.import X X
redis.instances.export X X
redis.operations.get X X
redis.operations.list X X
redis.operations.cancel
storage.buckets.list X X
storage.buckets.get X X
storage.objects.list X X
storage.objects.get X X

What's next

Kunde den här sidan hjälpa dig? Berätta:

Skicka feedback om ...

Google Cloud Memorystore for Redis