Overview
The Transcoder API uses Identity and Access Management (IAM) for access control.
You can configure access control for the Transcoder API at the project level. For example, you can grant access for developers to list and get all jobs within a project.
For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.
Every Transcoder API method requires the caller to have the necessary permissions. For more information, see Permissions and Roles.
Permissions
This section summarizes the Transcoder API permissions that IAM supports.
Required permissions
The following tables list the IAM permissions that are associated with the Transcoder API.
| Job method | Required permissions |
|---|---|
jobs.create |
transcoder.jobs.create on the parent Google Cloud project. |
jobs.delete |
transcoder.jobs.delete on the parent Google Cloud project. |
jobs.get |
transcoder.jobs.get on the parent Google Cloud project. |
jobs.list |
transcoder.jobs.list on the parent Google Cloud project. |
| Job template method | Required permissions |
|---|---|
jobTemplates.create |
transcoder.jobTemplates.create on the parent Google Cloud project. |
jobTemplates.delete |
transcoder.jobTemplates.delete on the parent Google Cloud project. |
jobTemplates.get |
transcoder.jobTemplates.get on the parent Google Cloud project. |
jobTemplates.list |
transcoder.jobTemplates.list on the parent Google Cloud project. |
Roles
The following table lists the Transcoder API IAM roles, including the permissions associated with each role:
| IAM role | Permissions |
|---|---|
Transcoder Viewer( Viewer of all transcoder resources. |
|
Transcoder Admin( Full access to all transcoder resources. |
|
The roles roles/owner and roles/editor grant the permissions associated with
the roles/transcoder.admin role. The role roles/viewer grants permissions
associated with the roles/transcoder.viewer role.
The roles roles/owner, roles/editor, and roles/viewer include permissions
for other Google Cloud services as well. For more information about roles, see
Understanding roles.
Access to Cloud Storage and Pub/Sub
By default, the Transcoder API has access to all of your project's Cloud Storage buckets and Pub/Sub topics. When you create your first job, the Transcoder API creates a service account using the following naming convention:
service-PROJECT_NUMBER@gcp-sa-transcoder.iam.gserviceaccount.com
PROJECT_NUMBER is the project number of your project with the Transcoder API enabled. This service account is granted the Transcoder Service Agent role and has permissions to do the following:
- Download and upload files to your project's Cloud Storage buckets
- Publish status updates to your project's Pub/Sub topics
Limiting access
To limit this access, remove the Transcoder Service Agent role from the service account and replace it with more fine-grained access. Follow these steps:
- Go to the IAM page (Permissions tab) in the Google Cloud console.
- Find the service account with the Transcoder Service Agent role and select the edit button.
- Delete the Transcoder Service Agent role from the service account.
- Grant access to the service account for each individual Cloud Storage
bucket:
- Go to the Cloud Storage Browser page.
- Click a bucket.
- Select the Permissions tab.
- Click Add.
- In the New principals box, type the name of the service account.
- Under Role, select Storage Object Admin.
- Click Save. The Transcoder API now has access to the bucket.
- (Optional) Grant access to the service account for any configured
Pub/Sub topic:
- Go to the Pub/Sub topics page.
- Click a topic.
- Select the Permissions tab.
- Click Add principal.
- In the New principals box, type the name of the service account.
- Under Role, select Pub/Sub Publisher.
- Click Save. The Transcoder API now has access to the topic.