Use IAM to control access

Workflows uses Identity and Access Management (IAM) to control which authenticated users and service accounts can perform which actions.

Before you begin authenticating and authorizing access to your Workflows resources, make sure you understand the basic concepts of IAM.

This page details the permissions required to access Workflows resources, including the ability to invoke workflow executions.

For information on granting permissions to workflows to access other services, see Grant a workflow permission to access Google Cloud resources.

Access control

Regardless of how you implement authentication, it's important to understand access control and the available Workflows roles. A role is a collection of permissions that grant access to resources in Google Cloud. When building a production application, only grant a service account the roles it needs to interact with the applicable Google Cloud APIs, features, or resources.

For more information about the available Workflows roles, see Workflows roles and permissions.

Invoke Workflows

A service account, or principal, can be thought of as both an identity and a resource that accepts IAM policies. As a result, you can let other principals access a service account by granting them a role on the service account, or on one of the service account's parent resources.

For example, you can grant a service account the workflows.invoker role so that the account has permission to trigger your workflow execution. You could then allow a principal to impersonate, or act as your service account. Note that the workflow service account does not require the workflows.invoker role, unless the workflow invokes itself or other workflows.

For more information on allowing principals to impersonate service accounts, see Managing service account impersonation.

To grant the service account of the service calling Workflows the workflows.invokerrole so that the service has permission to execute workflows and manage the executions, do the following:

Console

  1. In the Google Cloud console, go to the Service Accounts page:
    Go to Service Accounts

  2. Select a project and then click Create service account.

  3. In the Service account name field, enter a name, such as sa-name.

  4. Click Create and continue.

  5. In the Select a role list, select Workflows > Workflows Invoker.

  6. Click Done.

gcloud

  1. Open a terminal.

  2. Enter the following command:

    gcloud projects add-iam-policy-binding PROJECT_ID \
       --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
       --role roles/workflows.invoker

    Replace the following:

    • PROJECT_ID: the ID of your Google Cloud project.
    • SERVICE_ACCOUNT_NAME: the name of the service account.