Project access control

This page describes how you can control Cloud Memorystore for Redis project access and permissions using Cloud Identity and Access Management (IAM).

Overview

Google Cloud Platform offers Cloud IAM, which lets you give more granular access to specific GCP resources and prevents unwanted access to other resources. This page describes the Cloud Memorystore for Redis IAM roles and permissions. For a detailed description of roles and permissions, see the Cloud IAM documentation.

Cloud Memorystore for Redis provides a set of predefined roles designed to help you easily control access to your Redis resources. If the predefined roles do not provide the sets of permissions you need, you can also create your own custom roles. In addition, the legacy primitive roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Cloud Memorystore for Redis roles. In particular, the primitive roles provide access to resources across GCP, rather than just for Cloud Memorystore for Redis. For more information about primitive roles, see Primitive roles.

Permissions and roles

This section summarizes the permissions and roles that Cloud Memorystore for Redis supports.

Predefined roles

Cloud Memorystore for Redis provides some predefined roles that you can use to provide finer-grained permissions to project members. The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts.

You can grant multiple roles to the same project member, and if you have the permissions to do so, you can change the roles granted to a project member at any time.

The broader roles include the more narrowly defined roles. For example, the Redis Editor role includes all of the permissions of the Redis Viewer role, along with the addition of permissions for the Redis Editor role. Likewise, the Redis Admin role includes all of the permissions of the Redis Editor role, along with its additional permissions.

The primitive roles (Owner, Editor, Viewer) provide permissions across GCP. The roles specific to Cloud Memorystore for Redis provide only Cloud Memorystore for Redis permissions, except for the following GCP permissions, which are needed for general GCP usage:

resourcemanager.projects.get
resourcemanager.projects.list

The following table lists the predefined roles available for Cloud Memorystore for Redis, along with their Cloud Memorystore for Redis permissions:

Role Name Redis permissions Description

roles/owner

Owner

redis.*

Full access and control for all GCP resources; manage user access

roles/editor

Editor All redis permissions except for *.getIamPolicy & .setIamPolicy Read-write access to all GCP and Redis resources (full control except for the ability to modify permissions)

roles/viewer

Viewer

redis.*.get redis.*.list

Read-only access to all GCP resources, including Redis resources

roles/redis.admin

Redis Admin

redis.*

Full control for all Cloud Memorystore for Redis resources.

roles/redis.editor

Redis Editor All redis permissions except for

redis.instances.create redis.instances.delete

Manage Cloud Memorystore for Redis instances. Can't create or delete instances.

roles/redis.viewer

Redis Viewer All redis permissions except for

redis.instances.create redis.instances.delete redis.instances.update redis.operations.delete

Read-only access to all Cloud Memorystore for Redis resources.

Permissions and their roles

The following table lists each permission that Cloud Memorystore for Redis supports and the Memorystore for Redis roles that include it:

Permission Redis role Legacy role

redis.instances.list

Redis Admin
Redis Editor
Redis Viewer
Reader

redis.instances.get

Redis Admin
Redis Editor
Redis Viewer
Reader

redis.instances.create

Redis Admin Writer

redis.instances.update

Redis Admin
Redis Editor
Writer

redis.instances.delete

Redis Admin Writer

redis.locations.list

Redis Admin
Redis Editor
Redis Viewer
Reader

redis.locations.get

Redis Admin
Redis Editor
Redis Viewer
Reader

redis.operations.list

Redis Admin
Redis Editor
Redis Viewer
Reader

redis.operations.get

Redis Admin
Redis Editor
Redis Viewer
Reader

redis.operations.delete

Redis Admin
Redis Editor
Writer

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles. When you create custom roles for Cloud Memorystore for Redis, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list. Otherwise, the Google Cloud Platform Console will not function correctly for Cloud Memorystore for Redis. For more information, see Permission dependencies.

Required permissions for common tasks in the GCP Console

To enable a user to work with Cloud Memorystore for Redis using the GCP Console, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table provides the other permissions required for some common tasks in the GCP Console:

Task Required additional permissions
Display the instance listing page

redis.instances.get
redis.instances.list

Creating and editing an instance

redis.instances.create
redis.instances.get
redis.instances.list
compute.networks.list

Deleting an instance

redis.instances.delete
redis.instances.get
redis.instances.list

Connecting to an instance from the Cloud Shell

redis.instances.get
redis.instances.list
redis.instances.update

Viewing instance information

redis.instances.get
monitoring.timeSeries.list

Required permissions for gcloud commands

To enable a user to work with Cloud Memorystore for Redis using gcloud commands, the user's role must include the resourcemanager.projects.get and the resourcemanager.projects.list permission.

The following table lists the permissions that the user invoking a gcloud command must have for each gcloud redis subcommand:

Command Required permissions
gcloud redis instances create

redis.instances.get
redis.instances.create

gcloud redis instances delete

redis.instances.delete

gcloud redis instances update

redis.instances.get
redis.instances.update

gcloud redis instances list

redis.instances.list

gcloud redis instances describe

redis.instances.get

gcloud redis operations list

redis.operations.list

gcloud redis operations describe

redis.operations.get

gcloud redis regions list

redis.locations.list

gcloud redis regions describe

redis.locations.get

gcloud redis zones list

redis.locations.list

Required permissions for API methods

The following table lists the permissions that the caller must have to call each method in the Cloud Memorystore for Redis API or to perform tasks using GCP tools that use the API (such as the GCP Console or the gcloudcommand line tool):

Method Required permissions

locations.get

redis.locations.get

locations.list

redis.locations.list

instances.create

redis.instances.create

instances.delete

redis.instances.delete

instances.get

redis.instances.get

instances.list

redis.instances.list

instances.patch

redis.instances.update

operations.get

redis.operations.get

operations.list

redis.operations.list

What's next

Kunde den här sidan hjälpa dig? Berätta:

Skicka feedback om ...

Google Cloud Memorystore for Redis