You grant access to Parallelstore operations by granting Identity and Access Management (IAM) roles to users.
IAM permissions only control access to Parallelstore operations, like creating a Parallelstore instance. To control access to operations on the instance, like read or execute, use POSIX file permissions.
Permissions and roles
Parallelstore uses the following permissions:
| Permission | Description |
|---|---|
parallelstore.instances.create | Create new instances |
parallelstore.instances.delete | Delete instances |
parallelstore.instances.update | Update instances. Does not allow deletion |
parallelstore.instances.get | Retrieve instances |
parallelstore.instances.list | List all instances |
parallelstore.instances.exportData | Export data from Parallelstore to Cloud Storage |
parallelstore.instances.importData | Import data from Cloud Storage to Parallelstore |
Google Cloud doesn't support granting individual permissions directly; you must grant a role that contains permissions. The following table lists the permissions granted by the predefined roles for Parallelstore, as well as the basic Editor role:
| Capability | Editor (roles/editor) | Parallelstore (roles/parallelstore.*) | |
|---|---|---|---|
admin | viewer | ||
| Create instances | |||
| Delete instances | |||
| Update instances | |||
| Get instances | |||
| List instances | |||
| Import/export data from/to Cloud Storage | |||
Custom roles
If the available predefined roles don't meet your organization's access requirements, you can create and apply custom IAM roles.
When creating custom roles, we recommend using a combination of predefined roles to ensure that the correct permissions are included together.
Additional required Google Cloud permissions
In addition to the parallelstore permissions, there are some Google Cloud permissions required to complete specific tasks.
| Task | Permission |
|---|---|
| Create a VPC network | servicenetworking.services.addPeering is required. Grant roles/compute.networkAdmin or roles/servicenetworking.networksAdmin. |
| Import from Cloud Storage | The Parallelstore service account requires roles/storage.admin on the source bucket. See the Required permissions section of Transfer data to or from Cloud Storage for instructions. |
| Export to Cloud Storage | The Parallelstore service account requires roles/storage.admin on the destination bucket. See the Required permissions section of Transfer data to or from Cloud Storage for instructions. |
| Create Compute Engine VMs | Compute Instance Admin (v1). (roles/compute.instanceAdmin.v1) For more information, refer to the Compute Engine documentation. |
| Create and manage Google Kubernetes Engine clusters | Container Admin. (roles/container.admin) For more information, refer to the Google Kubernetes Engine documentation. |
| Monitoring | The Monitoring Viewer (roles/monitoring.viewer) role is required. |