reCAPTCHA Enterprise offers Role-Based Access Control (RBAC) with Identity and Access Management (IAM) and access control for reCAPTCHA Enterprise APIs using VPC Service Controls.
Role-based access control with IAM
Role-Based Access Control (RBAC) with IAM is a key differentiator between reCAPTCHA Enterprise and all prior versions of reCAPTCHA. IAM lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources, such as logs and analytics.
This section describes the IAM roles for reCAPTCHA Enterprise.
To learn how to assign IAM roles to a user or service account, read Granting, changing, and revoking access to resources in the IAM documentation.
Roles and permissions
The following table lists the necessary IAM roles and their permissions for reCAPTCHA Enterprise:
| Role name | Role description | Role object | Role permissions |
|---|---|---|---|
| reCAPTCHA Enterprise Agent | Access to create and annotate reCAPTCHA Enterprise assessments. Use this role for service accounts. |
roles/recaptchaenterprise.agent |
recaptchaenterprise.assessments.create
recaptchaenterprise.assessments.annotate |
| reCAPTCHA Enterprise Admin | Access to create, modify, and delete reCAPTCHA Enterprise keys. | roles/recaptchaenterprise.admin |
recaptchaenterprise.viewer
recaptchaenterprise.keys.create
recaptchaenterprise.keys.delete
recaptchaenterprise.keys.update
recaptchaenterprise.keys.retrievelegacysecretkey |
| reCAPTCHA Enterprise Viewer | Access to view reCAPTCHA Enterprise keys. | roles/recaptchaenterprise.viewer |
monitoring.timeSeries.list
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
recaptchaenterprise.metrics.get
recaptchaenterprise.projectmetadata.get
resourcemanager.projects.get
resourcemanager.projects.list
|
Custom roles
You might require custom roles for use cases such as regulatory requirements. To create a custom role that includes reCAPTCHA Enterprise permissions, perform the appropriate action as shown in the following table:
| Role description | Action |
|---|---|
| Role that only grants permissions for the reCAPTCHA Enterprise API | Choose from the permissions in the API permissions section. |
| Role that grants permissions for the reCAPTCHA Enterprise API and console | Choose permissions groups in the in the Roles and permissions section. |
| Role that grants the ability to create and annotate assessments | Include the
permissions in the role roles/recaptchaenterprise.agent in
the Roles and permissions section. |
For more information on custom roles, go to Creating and managing custom roles.
API permissions
The following table lists the permissions that the caller must have to call each
method in the reCAPTCHA Enterprise API, recaptchaenterprise.googleapis.com/v1:
| Method (REST/RPC) | Required Permissions | For resource type |
|---|---|---|
recaptchaenterprise.assessments.annotate / AnnotateAssessmentRequest |
recaptchaenterprise.assessments.annotate |
project |
recaptchaenterprise.assessments.create / CreateAssessmentRequest |
recaptchaenterprise.assessments.create |
project |
recaptchaenterprise.keys.create / CreateKeyRequest |
recaptchaenterprise.keys.create |
project |
recaptchaenterprise.keys.delete / DeleteKeyRequest |
recaptchaenterprise.keys.delete |
project |
recaptchaenterprise.keys.get / GetKeyRequest |
recaptchaenterprise.keys.get |
project |
recaptchaenterprise.keys.list / ListKeysRequest |
recaptchaenterprise.keys.list |
project |
recaptchaenterprise.keys.update / UpdateKeyRequest |
recaptchaenterprise.keys.update |
project |
VPC Service Controls
VPC Service Controls support reCAPTCHA Enterprise to provide additional access control for reCAPTCHA Enterprise APIs. For more information, see Supported products and limitations > reCAPTCHA Enterprise.