IAM permissions for Transfer service for on-premises data

This page describes Identity and Access Management (IAM) permissions required for Transfer for on-premises.

Overview

Transfer for on-premises uses IAM permissions to control who can access Transfer for on-premises resources. These permissions are granted to users through IAM roles.

We recommend using predefined IAM roles that address typical use cases. However, you may need a role that includes a custom set of permissions, or want to provide access to permissions to follow the principle of least privilege. In those cases, you may choose to create an IAM custom role to meet your needs.

The Google Cloud project administrator, which is an account with resourcemanager.projects.setIamPolicy privileges, is required for first-time setup for each project. This permission allows the administrator to create and grant IAM roles.

Permissions required to create on-premises transfers

To create and manage on-premises transfers, consider using the following types of accounts:

  • Transfer for on-premises administrator (admin) accounts: Admin accounts are used to support user accounts; the accounts can manage on-premises agents and set bandwidth usage limits.
  • User accounts: User accounts create and start transfers. We recommend not providing user accounts access to delete transfer jobs.

The following sections describe the IAM permissions required to use Transfer for on-premises.

Transfer administrator account

The following table describes the permissions that the administrator account requires to support colleagues performing transfers:

Permission Description
resourcemanager.projects.getIamPolicy

Used to confirm that the Transfer for on-premises service account has the required permissions for a transfer.

For more information on this permission, see Project permissions.

The Project predefined role roles/browser can be used to grant read access for browsing the project hierarchy.

storagetransfer.projects.getServiceAccount

Enables administrative actions in the transfer project, such as project setup and agent monitoring.

For more information on these permissions, see Permissions.

The Storage Transfer Service predefined role roles/storagetransfer.admin grants the listed permissions.

storagetransfer.jobs.create
storagetransfer.jobs.delete
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.patch
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.operations.pause
storagetransfer.operations.resume

User accounts

The following table describes the permissions that user accounts require to create and start transfers:

Permission Description
resourcemanager.projects.getIamPolicy

Used to confirm that the Transfer for on-premises service account has the required Pub/Sub permissions for a transfer.

For more information on this permission, see Project permissions.

The Project predefined role roles/browser can be used to grant read access for browsing the project hierarchy.

storagetransfer.projects.getServiceAccount

Enables the user to create, get, update, and list transfers.

For more information on these permissions, see Permissions.

The Storage Transfer Service predefined role roles/storagetransfer.user grants the listed permissions.

storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.patch
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.operations.pause
storagetransfer.operations.resume
resourcemanager.projects.get

Enables the user to create, update, and delete Cloud Storage objects as part of a transfer.

For more information on these permissions, see IAM permissions for Cloud Storage.

The Cloud Storage predefined role roles/storage.objectAdmin to grant the listed permissions.

resourcemanager.projects.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Permissions required to conduct on-premises transfers

Transfer for on-premises uses the following types of accounts to transfer data:

  • A Google-managed service account: The service account communicates with Cloud Storage and Pub/Sub resources within your project.

  • An agent account: The account used to run the Transfer for on-premises agents that transfer your data to Cloud Storage. The agent account can be either a user account or a service account that you create.

The following sections describe permissions necessary to conduct transfers.

Google-managed service account

Transfer for on-premises uses a Google-managed service account to communicate with Cloud Storage and Pub/Sub resources within your project. The permissions required for the service account are detailed in the following sections.

The service account's format is project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com. To determine your specific PROJECT_NUMBER, use the googleServiceAccounts.get API call.

Destination Cloud Storage bucket

The following table describes the permissions that the service account requires to transfer data to the destination Cloud Storage bucket:

Permission Description
storage.buckets.get Allows the service account to determine the billing location.
storage.objects.create Allows the service account to write transfer receipt objects.
storage.objects.get Allows the service account to read list output and determine upload preconditions when retrying an object upload.
storage.objects.list Allows the service account to calculate the delta for sync and to list temporary component objects created during the transfer so that they can be removed.

Google Cloud project

The following table describes the permissions that the service account requires to communicate with your Google Cloud project:

Permission Description
pubsub.subscriptions.create Allows the service account to create a Pub/Sub subscription to assign tasks, tracking progress, and creating the subscription for heartbeat messages used by Transfer for on-premises.
pubsub.subscriptions.delete Allows the service account to remove orphaned subscriptions.
pubsub.topics.create Allows the service account to attach task topics to the task assignments Pub/Sub subscription, track task progress, create heartbeat topics, and control topics.

Pub/Sub topics

The following table describes the permissions that the service account requires to communicate with Pub/Sub topics used by Transfer for on-premises; apply the permissions at the project level:

Permission Description
pubsub.topics.attachSubscription Allows the service account to attach assignment subscriptions to the Pub/Sub task, progress, pulse, and control topics.
pubsub.topics.publish Allows the service account to create assignment, progress, pulse, and control Pub/Sub topics.

Pub/Sub subscriptions

The following table describes the permissions that the service account requires to communicate to Pub/Sub subscriptions used by Transfer for on-premises:

Permission Description
pubsub.subscriptions.consume Allows the service account to read from progress and pulse Pub/Sub subscriptions.
pubsub.subscriptions.get Allows the service account to confirm subscription attachment.

On-premises agent account

Transfer for on-premises uses an agent account to transfer data to your Cloud Storage bucket. The agent account is either a user account or a user-managed service account that you use to run the on-premises agents. This agent account communicates between the agents you install on-premises and the Transfer for on-premises service. The permissions required for the agent account are detailed in the following sections.

Destination Cloud Storage Bucket

The following table describes the permissions that the on-premises agent account requires to transfer data to your Cloud Storage destination bucket:

Permission Description
storage.objects.create Allows the agent account to write Cloud Storage objects during transfer.
storage.objects.delete Allows the agent account to delete or overwrite Cloud Storage objects during transfer.
storage.objects.get Allows the agent account to retry with correct preconditions for composite uploads.

Transfer for on-premises Pub/Sub topics

The following table describes the permissions that the on-premises agent account requires on the Pub/Sub topics that transfer for on-premises data requires; apply the permissions at the project level:

Permission Description
pubsub.topics.attachSubscription Allows the agent account to listen to the control Pub/Sub topic.
pubsub.topics.get Allows the agent account to confirm progress and pulse Pub/Sub topics exist.
pubsub.topics.publish Allows the agent account to publish to task progress and pulse Pub/Sub topics.

Pub/Sub subscriptions

The following table describes the permissions that the on-premises agent account requires to communicate to Pub/Sub subscriptions used by Transfer for on-premises; apply the permissions at the project level:

Permission Description
pubsub.subscriptions.consume Allows the agent account to read Pub/Sub topics for task assignment and control.
pubsub.subscriptions.create Allows the agent account to create control Pub/Sub subscriptions.
pubsub.subscriptions.get Allows the agent account to confirm that control, pulse, and assignment Pub/Sub subscriptions exist.
pubsub.subscriptions.delete Allows the agent account to clean control subscriptions on exit.