Access control with IAM

Overview

The Transcoder API uses Identity and Access Management (IAM) for access control.

You can configure access control for the Transcoder API at the project level. For example, you can grant access for developers to list and get all jobs within a project.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.

Every Transcoder API method requires the caller to have the necessary permissions. For more information, see Permissions and Roles.

Permissions

This section summarizes the Transcoder API permissions that IAM supports.

Required permissions

The following tables list the IAM permissions that are associated with the Transcoder API.

Job method Required permissions
jobs.create transcoder.jobs.create on the parent Google Cloud project.
jobs.delete transcoder.jobs.delete on the parent Google Cloud project.
jobs.get transcoder.jobs.get on the parent Google Cloud project.
jobs.list transcoder.jobs.list on the parent Google Cloud project.
Job template method Required permissions
jobTemplates.create transcoder.jobTemplates.create on the parent Google Cloud project.
jobTemplates.delete transcoder.jobTemplates.delete on the parent Google Cloud project.
jobTemplates.get transcoder.jobTemplates.get on the parent Google Cloud project.
jobTemplates.list transcoder.jobTemplates.list on the parent Google Cloud project.

Roles

The following table lists the Transcoder API IAM roles, including the permissions associated with each role:

Transcoder API role Permissions
roles/transcoder.viewer
  • transcoder.jobs.list
  • transcoder.jobs.get
  • transcoder.jobTemplates.list
  • transcoder.jobTemplates.get
roles/transcoder.admin All roles/transcoder.viewer permissions, and:
  • transcoder.jobs.create
  • transcoder.jobs.delete
  • transcoder.jobTemplates.create
  • transcoder.jobTemplates.delete

The roles roles/owner and roles/editor grant the permissions associated with the roles/transcoder.admin role. The role roles/viewer grants permissions associated with the roles/transcoder.viewer role.

The roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud services as well. For more information about roles, see Understanding roles.

Access to Cloud Storage and Pub/Sub

By default, the Transcoder API has access to all of your project's Cloud Storage buckets and Pub/Sub topics. When you create your first job, the Transcoder API creates a service account using the following naming convention:

service-PROJECT_NUMBER@gcp-sa-transcoder.iam.gserviceaccount.com

PROJECT_NUMBER is the project number of your project with the Transcoder API enabled. This service account is granted the Transcoder Service Agent role and has permissions to do the following:

  • Download and upload files to your project's Cloud Storage buckets
  • Publish status updates to your project's Pub/Sub topics

Limiting access

To limit this access, remove the Transcoder Service Agent role from the service account and replace it with more fine-grained access. Follow these steps:

  1. Go to the IAM page (Permissions tab) in the Google Cloud Console.
  2. Find the service account with the Transcoder Service Agent role and select the edit button.
  3. Delete the Transcoder Service Agent role from the service account.
  4. Grant access to the service account for each individual Cloud Storage bucket:
    1. Go to the Cloud Storage Browser page.
    2. Click a bucket.
    3. Select the Permissions tab.
    4. Click Add.
    5. In the New principals box, type the name of the service account.
    6. Under Role, select Storage Object Admin.
    7. Click Save. The Transcoder API now has access to the bucket.
  5. (Optional) Grant access to the service account for any configured Pub/Sub topic:
    1. Go to the Pub/Sub topics page.
    2. Click a topic.
    3. Select the Permissions tab.
    4. Click Add principal.
    5. In the New principals box, type the name of the service account.
    6. Under Role, select Pub/Sub Publisher.
    7. Click Save. The Transcoder API now has access to the topic.