According to this document, if using a shared VPC, the Datastream service account requires the COMPUTE.NETWORKADMIN role on the host project. However, I was wondering if there were more granular permissions/roles that can be assigned instead since the COMPUTE.NETWORKADMIN is quite expansive.
Asked
Active
Viewed 254 times
0
James S
- 1,181
- 1
- 7
-
Which permissions do you need? List then in your question. You can create a custom role with only the permissions you require. – John Hanley Aug 08 '22 at 21:19
1 Answers
2
You may create a custom role with only the permissions that you require and bind it to the user or service account where you wish to assign the custom role. Please see the Compute Network Admin role for the available permissions that you can add to the custom role.
James S
- 1,181
- 1
- 7
-
Yeah I am not sure what specific permissions are required since in the doc it requires that the datastream service account needs the compute.networkAdmin role. – Stephen Hwang Aug 09 '22 at 00:21
-
I understand your concerns regarding COMPUTE.NETWORKADMIN role being expansive. However, the documentation states that this is the required role for the host project. This means that all of the permissions under this role are needed. If you want to test it out, you may create a custom role using all of the permissions from the Compute Network Admin role except for the ones that you think are unnecessary. – James S Aug 09 '22 at 05:57
-
You may also try to test IAM permissions through testIamPermissions() method[1]. This allows you to programmatically check whether the currently authenticated caller has been granted one or more specific IAM permissions on the resource. [1]: https://cloud.google.com/iam/docs/testing-permissions – James S Aug 09 '22 at 05:58