Access control (IAM)

Google Cloud offers Cloud Identity and Access Management (Cloud IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud IAM roles for reCAPTCHA Enterprise.

To learn how to assign Cloud IAM roles to a user or service account, read Managing policies in the Cloud IAM documentation.

Permissions and roles

This section summarizes the permissions and roles reCAPTCHA Enterprise supports.

API permissions

The following table lists the permissions that the caller must have to call each method in the reCAPTCHA Enterprise API, recaptchaenterprise.googleapis.com/v1:

Method (REST/RPC) Required Permission(s) For resource type
recaptchaenterprise.assessments.annotate / AnnotateAssessmentRequest recaptchaenterprise.assessments.annotate project
recaptchaenterprise.assessments.create / CreateAssessmentRequest recaptchaenterprise.assessments.create project
recaptchaenterprise.keys.create / CreateKeyRequest recaptchaenterprise.keys.create project
recaptchaenterprise.keys.delete / DeleteKeyRequest recaptchaenterprise.keys.delete project
recaptchaenterprise.keys.get / GetKeyRequest recaptchaenterprise.keys.get project
recaptchaenterprise.keys.list / ListKeysRequest recaptchaenterprise.keys.list project
recaptchaenterprise.keys.update / UpdateKeyRequest recaptchaenterprise.keys.update project

Roles

Cloud IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for reCAPTCHA Enterprise:

Role name reCAPTCHA Enterprise permissions Description
roles/recaptchaenterprise.agent
Cloud reCAPTCHA Enterprise Agent
recaptchaenterprise.assessments.create
recaptchaenterprise.assessments.annotate
Access to create and annotate reCAPTCHA Enterprise assessments.
roles/recaptchaenterprise.viewer
Cloud reCAPTCHA Enterprise Viewer
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
Access to view reCAPTCHA Enterprise keys.
roles/recaptchaenterprise.admin
Cloud reCAPTCHA Enterprise Admin
Permissions in recaptchaenterprise.viewer, plus:
recaptchaenterprise.keys.create
recaptchaenterprise.keys.delete
recaptchaenterprise.keys.update
Access to view and modify reCAPTCHA Enterprise keys.

Custom roles

To create a custom role that includes reCAPTCHA Enterprise permissions, do the following:

  • For a role granting permissions only for the reCAPTCHA Enterprise API, choose from the permissions in the preceding section, API permissions.
  • For a role granting permissions for the reCAPTCHA Enterprise API and console, choose permission groups in the preceding section, Console permissions.
  • To grant the ability to create and annotate assessments, include the permission(s) in the role roles/recaptchaenterprise.agent in the section Roles.

For more information on custom roles, go to Creating and managing custom roles.