This page explains the Identity and Access Management roles available for Memorystore for Valkey, and the associated permissions for those roles.
To learn how to grant the role to a user in your project, see Grant or revoke a single role.
Predefined roles
The following predefined roles are available for Memorystore for Valkey. If you update a role for an Identity and Access Management principal, the change takes several minutes to take effect.
Role | Name | Memorystore permissions | Description |
---|---|---|---|
|
Owner |
|
Full access and control for all Google Cloud resources; manage user access |
|
Editor | All memorystore permissions except for *.getIamPolicy &
.setIamPolicy |
Read-write access to all Google Cloud and Valkey resources (full control except for the ability to modify permissions) |
|
Viewer |
|
Read-only access to all Google Cloud resources, including Valkey resources |
|
Memorystore Admin |
|
Full control for all Memorystore for Valkey resources. |
|
Memorystore Editor | All memorystore permissions except for
|
Manage Memorystore for Valkey instances. Can't create or delete instances. |
|
Memorystore Viewer | All memorystore permissions except for
|
Read-only access to all Memorystore for Valkey resources. |
|
Memorystore Database Connection User |
|
A role that you can assign to users who need to authenticate with IAM Auth |
Permissions and their roles
The following table lists each permission that Memorystore for Valkey supports and the Memorystore for Valkey roles that include it:
Permission | Memorystore role | Basic role |
---|---|---|
|
Memorystore Admin Memorystore Editor Memorystore Viewer |
Viewer |
|
Memorystore Admin Memorystore Editor Memorystore Viewer |
Viewer |
|
Memorystore Admin | Owner |
|
Memorystore Admin Memorystore Editor |
Editor |
|
Memorystore Admin Memorystore Database Connection User |
Owner |
Custom roles
If the predefined roles do not address your unique business requirements, you
can define your own custom roles with permissions that you specify. To support
this, IAM offers custom roles. When you create custom roles
for Memorystore for Valkey, make sure that you include
both resourcemanager.projects.get
and resourcemanager.projects.list
.
Otherwise, the Google Cloud console will not function correctly
for Memorystore for Valkey. For more information, see
Permission dependencies.
To learn how to create a custom role, see Creating a custom role.
In-transit encryption permissions
The table below shows permissions required for enabling and managing In-transit encryption for Memorystore for Valkey.
Permissions needed | Create a Memorystore instance with in-transit encryption | Download the Certificate Authority |
---|---|---|
memorystore.instances.create
|
✓ | X |
memorystore.instances.get
|
X | ✓ |
Network connectivity policy creation role
The permissions described in this section are needed for the Network Admin who is establishing a service connection policy for Memorystore for Valkey, as described in the Networking page.
To establish the policy required for Memorystore for Valkey instance creation,
the Network Admin must have the networkconnectivity.googleapis.com/consumerNetworkAdmin
role, which grants the following permissions:
- networkconnectivity.serviceconnectionpolicies.create
- networkconnectivity.serviceconnectionpolicies.list
- networkconnectivity.serviceconnectionpolicies.get
- networkconnectivity.serviceconnectionpolicies.delete
- networkconnectivity.serviceconnectionpolicies.update