How to add a role binding to a specific memorystore instance?
I want to add a role (Cloud Memorystore Redis Editor) binding to a specific redis or memcached instance in the memorystore.
I usually do this with the binding wizard on the info page of an instance. It is not shown at all at memorystore instance pages.
Is there a way to do this other than adding a member with conditions on the IAM page?
Also, when I try to list grantable roles for an instance with gcloud iam list-grantable-roles <resource_name> it returns empty for the memcached instance, and gives invalid argument name error for the redis instance.
Thanks
Edit:
I want to add a member with a specific role to a redis resource.
The role I want to add is Cloud Memorystore Redis Editor
I added screenshot with an example from Bigtable instance. I don't see the panel from the second screenshot in the redis instance. There is no option to open that panel.
Selecting an instances shows "Add Member" button under "permissions" tab
This panel allows me to select a member and give roles grantable to this resource
I don't think permissions on a per-instance basis are possible for Redis. I got this quote from Google's Access control and permissions page for Memorystore for Redis (source).
Note: To call a method, you must also have the required scopes as described in the method's reference page, in addition to the permissions below. For more information, see Authorizing requests with OAuth 2.0. All permissions are applied to the project. You cannot apply different permissions based on the instance or other lower-level object.
If you do need the instances to be isolated in terms of access management, I have some suggestions:
- Place the Redis instances in separate projects if they have completely different purposes.
- If feasible, you could separate reader and writer permissions under different service accounts.
- Do not grant
roles/ownerpermissions, instead useroles/redis.editor,roles/redis.viewerandroles/redis.admin.
Bullet number three might seem obvious, but I have seen many people (even on Stackoverflow) suggesting that someone should put owner permissions on a service account to get something to work. And indeed it does work, but it is very bad practice from a security standpoint.
- Does snapshot size is less than actual disk size even disk is full in google cloud?
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- GA4 Data Not Retained for More Than 60 Days Despite BigQuery Table Expiration Set to 'Never
- Firebase Firestore: Accessing Never-Retrieved Data Offline
- How to write a REGEXP_EXTRACT expression in Google Cloud Logging config json?
- Why does my GKE cluster not show any events?
- Python to get billing info from Gcloud
- Google Cloud: sign a JWT while impersonating a service account
- Google recaptcha enterprise: Your default credentials were not found
- Firebase Admin SDK cant upload to storage bucket folder
- Accessing Firestore via Cloud Function
- Problem with executing asynchronous Cloud Function
- do you need to create a separate collection/document for reading an aggregated document with firebase cloud function
- httpsCallable is not a function when calling a Firebase function
- Google Cloud Eventarc: Receive events via Pub/Sub directly
- Android Studio's project gradle file changed?
- How to listen to button triggers using Firebase
- gcloud auth login throwing error: gcloud crashed (ConnectionError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded
- Google Cloud Build Error: build step 0 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1
- Terraform - GCP - Import project IAM member
- Choosing fields to return with Places API (new) client library
- Deploy to Update version of Gmail App Script Extension
- Getting random "User not found in file /etc/passwd" error on Cloud Run Job
- Change time format in GCP Logs Explorer
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Deploying a pelican site to Google Cloud Run with Dockerfile not working
- Is there a good explanation of resource labels versus metric labels?
- Why do I set the resource type when writing the metric but not when creating a descriptor?
- google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)
- How to list all enabled API services for Google Cloud Platform project