Workflows uses Identity and Access Management (IAM) to control which authenticated users and service accounts can perform which actions.
Before you begin authenticating and authorizing access to your Workflows resources, make sure you understand the basic concepts of IAM.
This page details the permissions required to access Workflows resources, including the ability to invoke workflow executions.
For information on granting permissions to workflows to access other services, see Grant a workflow permission to access Google Cloud resources.
Access control
Regardless of how you implement authentication, it's important to understand access control and the available Workflows roles. A role is a collection of permissions that grant access to resources in Google Cloud. When building a production application, only grant a service account the roles it needs to interact with the applicable Google Cloud APIs, features, or resources.
For more information about the available Workflows roles, see Workflows roles and permissions.
Invoke Workflows
A service account is both an identity and a resource that accepts IAM policies. As a result, you can grant roles to the service account, then let other principals impersonate the service account by granting them a role on the service account or on one of the service account's parent resources.
For example, you can grant a service account the workflows.invoker
role so that the account has permission to trigger your workflow execution. You
could then allow a principal to impersonate, or act as, your service account.
Note that the workflow service account does not require the workflows.invoker
role, unless the workflow invokes itself or other workflows.
For more information on service account impersonation, see Service account impersonation.
To grant the service account of the service calling Workflows the
Workflows Invoker role (roles/workflows.invoker
) so that the service has
permission to execute workflows and manage the executions, do the following:
Console
In the Google Cloud console, go to the Service Accounts page:
Go to Service AccountsSelect a project and then click Create service account.
In the Service account name field, enter a name, such as
sa-name
.Click Create and continue.
In the Select a role list, select Workflows > Workflows Invoker.
Click Done.
gcloud
Open a terminal.
Enter the following command:
gcloud projects add-iam-policy-binding
PROJECT_ID \ --member serviceAccount:SERVICE_ACCOUNT_NAME @PROJECT_ID .iam.gserviceaccount.com \ --role roles/workflows.invokerReplace the following:
PROJECT_ID
: the ID of your Google Cloud project.SERVICE_ACCOUNT_NAME
: the name of the service account.