Access control with IAM

You grant access to Parallelstore operations by granting Identity and Access Management (IAM) roles to users.

IAM permissions only control access to Parallelstore operations, like creating a Parallelstore instance. To control access to operations on the instance, like read or execute, use POSIX file permissions.

Permissions and roles

Parallelstore uses the following permissions:

Permission Description
parallelstore.instances.create Create new instances
parallelstore.instances.delete Delete instances
parallelstore.instances.update Update instances. Does not allow deletion
parallelstore.instances.get Retrieve instances
parallelstore.instances.list List all instances
parallelstore.instances.exportData Export data from Parallelstore to Cloud Storage
parallelstore.instances.importData Import data from Cloud Storage to Parallelstore

Google Cloud doesn't support granting individual permissions directly; you must grant a role that contains permissions. The following table lists the permissions granted by the predefined roles for Parallelstore, as well as the basic Editor role:

Capability Editor (roles/editor) Parallelstore (roles/parallelstore.*)
admin viewer
Create instances
Delete instances
Update instances
Get instances
List instances
Import/export data from/to Cloud Storage

Custom roles

If the available predefined roles don't meet your organization's access requirements, you can create and apply custom IAM roles.

When creating custom roles, we recommend using a combination of predefined roles to ensure that the correct permissions are included together.

Additional required Google Cloud permissions

In addition to the parallelstore permissions, there are some Google Cloud permissions required to complete specific tasks.

Task Permission
Create a VPC network servicenetworking.services.addPeering is required. Grant roles/compute.networkAdmin or roles/servicenetworking.networksAdmin.
Import from Cloud Storage The Parallelstore service account requires roles/storage.admin on the source bucket. See the Required permissions section of Transfer data to or from Cloud Storage for instructions.
Export to Cloud Storage The Parallelstore service account requires roles/storage.admin on the destination bucket. See the Required permissions section of Transfer data to or from Cloud Storage for instructions.
Create Compute Engine VMs Compute Instance Admin (v1). (roles/compute.instanceAdmin.v1) For more information, refer to the Compute Engine documentation.
Create and manage Google Kubernetes Engine clusters Container Admin. (roles/container.admin) For more information, refer to the Google Kubernetes Engine documentation.
Monitoring The Monitoring Viewer (roles/monitoring.viewer) role is required.