The Cloud Healthcare API does not have automatic access to other Google Cloud resources in your project, such as Cloud Storage buckets and BigQuery datasets. When accessing these resources, the Cloud Healthcare API uses a service agent called the Cloud Healthcare Service Agent.
To perform operations such as notifying Pub/Sub topics of changes, importing data from Cloud Storage buckets, exporting data to BigQuery datasets, and so on, you must first grant the service account the Identity and Access Management (IAM) permissions necessary to access the resources outside of the Cloud Healthcare API. This page describes which permissions are required for various operations, and how to grant them.
To learn more about using IAM to configure permissions within the Cloud Healthcare API, see Access control.
The Cloud Healthcare Service Agent
The Cloud Healthcare Service Agent service account
is automatically created
after you enable the Cloud Healthcare API. Its member name is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
.
To find the PROJECT_NUMBER for your Google Cloud project,
see Identifying projects.
You can view detailed information about the Cloud Healthcare Service Agent service account, such as the roles it has been granted, on the Identity and Access Management page in Google Cloud console.
To learn more about the Cloud Healthcare Service Agent and its interaction with Identity and Access Management (IAM) roles and permissions, see Access control.
Dataset CMEK permissions
You can use a customer-managed encryption key (CMEK) when
creating a Cloud Healthcare API dataset. To let the
Cloud Healthcare Service Agent service account encrypt and decrypt objects
using the CMEK key, grant the service account the
CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter
)
role.
In the Google Cloud console, go to the IAM page.
Select the
Include Google-provided role grants checkbox.Ensure the View by principals tab is selected. Locate the row containing the Cloud Healthcare Service Agent service account, and click
Edit principal in that row. The Edit permissions pane is displayed.Click
Add another role.From the Select a role drop-down menu, search for and then click CryptoKey Encrypter/Decrypter.
Click Save.
DICOM, FHIR, and HL7v2 store Pub/Sub permissions
Changes within DICOM, FHIR, and HL7v2 stores can be sent to a Pub/Sub topic. For more information, see Using Cloud Pub/Sub for Notifications.
The methods within these stores require additional permissions on the Cloud Healthcare Service Agent service account to publish changes to a Pub/Sub topic.
Use the Google Cloud console or the gcloud CLI to add the
pubsub.publisher
role to your project's service account:
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page
in Google Cloud console, verify that the role Healthcare Service Agent
appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the Pub/Sub Publisher role.
- Select the role and then click Save. The
pubsub.publisher
role is added to the service account.
To add the service account permissions, run the
gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/pubsub.publisher
Configure Pub/Sub permissions between projects
To publish Pub/Sub notifications to a topic in another project,
grant the Cloud Healthcare Service Agent service account the
pubsub.publisher
role on the topic. For more information, see Control access through the Google Cloud console
and Control access through the IAM API.
For an example of publishing Pub/Sub notifications between projects, see Sample use case: cross-project communication.
DICOM store Cloud Storage permissions
The projects.locations.datasets.dicomStores.import
and projects.locations.datasets.dicomStores.export
methods require additional permissions on the Cloud Healthcare Service Agent
service account to import data from and export
data to Cloud Storage.
Importing data from Cloud Storage
You can use Google Cloud console or the gcloud CLI to add the requiredstorage.objectViewer
role to your project's service
account.
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page in Google Cloud console, verify that the role
Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the Storage Object Viewer role.
- Select the role and then click Save. The
storage.objectViewer
role is then added to the service account.
gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/storage.objectViewer
Exporting data to Cloud Storage
You can use Google Cloud console or the gcloud CLI to add the required
storage.objectAdmin
role to your project's service account:
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page
in Google Cloud console, verify that the role Healthcare Service Agent
appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the Storage Object Admin role.
- Select the role and then click Save. The
storage.objectAdmin
role is then added to the service account.
To add the service account permissions, run the gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/storage.objectAdmin
DICOM store BigQuery permissions
The projects.locations.datasets.dicomStores.export
method requires additional permissions on the Cloud Healthcare Service Agent
service account to export DICOM metadata to
BigQuery. You must also grant WRITER
access for the
BigQuery dataset
to the Cloud Healthcare Service Agent' service account.
Granting permissions to the Cloud Healthcare Service Agent service account
You can use the Google Cloud console or the gcloud CLI to add the required
bigquery.dataEditor
and bigquery.jobUser
roles to your project's service
account.
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page in Google Cloud console, verify that the role
Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the BigQuery Data Editor and BigQuery Job User roles.
- Select each role and then click Save. The
bigquery.dataEditor
andbigquery.jobUser
roles are then added to the service account.
To add the service account permissions, run the gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
Grant the
roles/bigquery.dataEditor
role:Before using any of the command data below, make the following replacements:
PROJECT_ID : the ID of your Google Cloud projectPROJECT_NUMBER : the number of your Google Cloud project
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud projects add-iam-policy-binding
PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/bigquery.dataEditorWindows (PowerShell)
gcloud projects add-iam-policy-binding
PROJECT_ID ` --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ` --role=roles/bigquery.dataEditorWindows (cmd.exe)
gcloud projects add-iam-policy-binding
PROJECT_ID ^ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ^ --role=roles/bigquery.dataEditorYou should receive a response similar to the following:
Updated IAM policy for project [
PROJECT_ID ]. bindings: ... - members: - serviceAccount:service-NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com role: roles/bigquery.dataEditor ... etag:ETAG version:VERSION Grant the
roles/bigquery.jobUser
role:Before using any of the command data below, make the following replacements:
PROJECT_ID : the ID of your Google Cloud projectPROJECT_NUMBER : the number of your Google Cloud project
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud projects add-iam-policy-binding
PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/bigquery.jobUserWindows (PowerShell)
gcloud projects add-iam-policy-binding
PROJECT_ID ` --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ` --role=roles/bigquery.jobUserWindows (cmd.exe)
gcloud projects add-iam-policy-binding
PROJECT_ID ^ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ^ --role=roles/bigquery.jobUserYou should receive a response similar to the following:
Updated IAM policy for project [
PROJECT_ID ]. bindings: ... - members: - serviceAccount:service-NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com role: roles/bigquery.jobUser ... etag:ETAG version:VERSION
Granting WRITER
access to the BigQuery dataset
If you have added the bigquery.dataEditor
and bigquery.jobUser
roles to
your project's service account, you will have WRITER
access for all
BigQuery datasets. However, if you have not added these roles and you require
WRITER
access to a single BigQuery dataset, you can grant
WRITER
access just for that dataset.
To grant WRITER
access to a BigQuery dataset, complete
the following steps:
- Navigate to Controlling access to a dataset.
- Using one of the available methods, grant the Cloud Healthcare Service Agent's
email address
WRITER
access to the BigQuery dataset. (Look for the email address that ends in@gcp-sa-healthcare.iam.gserviceaccount.com
).
For example, if your Cloud Healthcare Service Agent's email address is
service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com
, and if you are using the
BigQuery web UI, you would:
- Follow the Console instructions.
- In the Add principals field, enter
service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com
and select thebigquery.dataEditor
role.
Exporting DICOM metadata across Google Cloud projects
To export DICOM metadata from a DICOM store in one project to a
BigQuery table in a different project, you must add the
source project's Cloud Healthcare Service Agent service account to the
destination project and grant the service account the
bigquery.dataEditor
and bigquery.jobUser
roles in the destination
project.
To find the source project's Cloud Healthcare Service Agent service account, complete the following steps:
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page in Google Cloud console, verify that the role
Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. Note this address in the source project, as it will be used in the following steps.
Add the Cloud Healthcare Service Agent service account from the source project to the destination project and grant the service account the required BigQuery permissions by completing the following steps:
- Open the destination project's IAM page in Google Cloud console.
- Click Add.
- In the New members field, enter the address of the source project's Cloud Healthcare Service Agent service account.
- Click Add another role and then search for the BigQuery Data Editor and BigQuery Job User roles.
- Select the role and then click Save. The source project's
Cloud Healthcare Service Agent service account now has
bigquery.dataEditor
andbigquery.jobUser
roles on the destination project.
To add the Cloud Healthcare Service Agent service account from the source
project to the destination project and grant the service account the required
BigQuery permissions, run the
gcloud projects add-iam-policy-binding
command. To find the project ID and project number for your source and
destination projects,
see Identifying projects.
gcloud projects add-iam-policy-bindingDESTINATION_PROJECT_ID \ --member=serviceAccount:service-SOURCE_PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/bigquery.dataEditor
gcloud projects add-iam-policy-bindingDESTINATION_PROJECT_ID \ --member=serviceAccount:service-SOURCE_PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/bigquery.jobUser
Complete the steps in Granting WRITER
access to the BigQuery dataset
to allow the source project to write to the destination dataset.
FHIR store Cloud Storage permissions
The following sections describe FHIR methods that require additional permissions on the Cloud Healthcare Service Agent to read from or write to Cloud Storage.
Importing FHIR resources from Cloud Storage
The projects.locations.datasets.fhirStores.import
method requires the following permissions on the Cloud Healthcare Service Agent
service account:
storage.objects.get
storage.objects.list
These permissions are included in the predefined storage.objectViewer
role.
You can also add the permissions to a custom role, or they might be included in other basic roles.
You can use Google Cloud console or the gcloud CLI to add the requiredstorage.objectViewer
role to your project's service
account.
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page in Google Cloud console, verify that the role
Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the Storage Object Viewer role.
- Select the role and then click Save. The
storage.objectViewer
role is then added to the service account.
gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/storage.objectViewer
Exporting FHIR resources to Cloud Storage
To use the projects.locations.datasets.fhirStores.export
method requires the following permissions on the Cloud Healthcare Service Agent
service account:
storage.objects.create
storage.objects.delete
storage.objects.list
These permissions are included in the predefined storage.objectAdmin
role.
You can also add the permissions to a custom role, or they might be included in other basic roles.
To grant the service account the storage.objectAdmin
role, follow these steps:
- Ensure you enabled the Cloud Healthcare API.
- On the IAM page
in Google Cloud console, verify that the role Healthcare Service Agent
appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the Storage Object Creator role.
- Select the role and then click Save. The
storage.objectAdmin
role is then added to the service account.
To add the service account permissions, run the gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/storage.objectAdmin
Read filter files from Cloud Storage
The projects.locations.datasets.fhirStores.rollback
method requires the following permissions on the Cloud Healthcare Service Agent
service account to read filter files
from Cloud Storage:
storage.objects.get
storage.objects.list
These permissions are included in the predefined storage.objectViewer
role.
You can also add the permissions to a custom role, or they might be included in other basic roles.
To grant the storage.objectViewer
role to the service account, follow
these steps:
Write output files to Cloud Storage
The projects.locations.datasets.fhirStores.rollback
method requires the following permissions on the Cloud Healthcare Service Agent
service account to write output files
to Cloud Storage:
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
These permissions are included in the predefined storage.objectAdmin
role.
You can also add the permissions to a custom role, or they might be included in other basic roles.
To grant the storage.objectAdmin
role to the service account, follow
these steps:
FHIR store BigQuery permissions
The projects.locations.datasets.fhirStores.export
method requires additional permissions on the Cloud Healthcare Service Agent
service account to export FHIR resources to
BigQuery. You must also grant WRITER
access for the
BigQuery dataset
to the Cloud Healthcare Service Agent' service account.
Granting permissions to the Cloud Healthcare Service Agent service account
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page in Google Cloud console, verify that the role
Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the BigQuery Data Editor and BigQuery Job User roles.
- Select each role and then click Save. The
bigquery.dataEditor
andbigquery.jobUser
roles are then added to the service account.
To add the service account permissions, run the gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
Grant the
roles/bigquery.dataEditor
role:Before using any of the command data below, make the following replacements:
PROJECT_ID : the ID of your Google Cloud projectPROJECT_NUMBER : the number of your Google Cloud project
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud projects add-iam-policy-binding
PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/bigquery.dataEditorWindows (PowerShell)
gcloud projects add-iam-policy-binding
PROJECT_ID ` --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ` --role=roles/bigquery.dataEditorWindows (cmd.exe)
gcloud projects add-iam-policy-binding
PROJECT_ID ^ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ^ --role=roles/bigquery.dataEditorYou should receive a response similar to the following:
Updated IAM policy for project [
PROJECT_ID ]. bindings: ... - members: - serviceAccount:service-NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com role: roles/bigquery.dataEditor ... etag:ETAG version:VERSION Grant the
roles/bigquery.jobUser
role:Before using any of the command data below, make the following replacements:
PROJECT_ID : the ID of your Google Cloud projectPROJECT_NUMBER : the number of your Google Cloud project
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud projects add-iam-policy-binding
PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/bigquery.jobUserWindows (PowerShell)
gcloud projects add-iam-policy-binding
PROJECT_ID ` --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ` --role=roles/bigquery.jobUserWindows (cmd.exe)
gcloud projects add-iam-policy-binding
PROJECT_ID ^ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com ^ --role=roles/bigquery.jobUserYou should receive a response similar to the following:
Updated IAM policy for project [
PROJECT_ID ]. bindings: ... - members: - serviceAccount:service-NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com role: roles/bigquery.jobUser ... etag:ETAG version:VERSION
Granting WRITER
access to the BigQuery dataset
If you have added the bigquery.dataEditor
and bigquery.jobUser
roles to
your project's service account, you will have WRITER
access for all
BigQuery datasets. However, if you have not added these roles and you require
WRITER
access to a single BigQuery dataset, you can grant
WRITER
access just for that dataset.
To grant WRITER
access to a BigQuery dataset, complete
the following steps:
- Navigate to Controlling access to a dataset.
- Using one of the available methods, grant the Cloud Healthcare Service Agent's
email address
WRITER
access to the BigQuery dataset. (Look for the email address that ends in@gcp-sa-healthcare.iam.gserviceaccount.com
).
For example, if your Cloud Healthcare Service Agent's email address is
service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com
, and if you are using the
BigQuery web UI, you would:
- Follow the Console instructions.
- In the Add principals field, enter
service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com
and select thebigquery.dataEditor
role.
HL7v2 store Cloud Storage permissions
The projects.locations.datasets.hl7V2Stores.import
and projects.locations.datasets.hl7V2Stores.export
methods require additional permissions on the Cloud Healthcare Service Agent
service account to import HL7v2 messages from
and export HL7v2 messages to Cloud Storage.
Determine the permissions that the service account requires based on the actions that the application performs:
- If the application imports HL7v2 messages from Cloud Storage to an
HL7v2 store, the service account requires the
storage.objects.get
andstorage.objects.list
permissions, which are included in thestorage.objectViewer
role. - If the application exports HL7v2 messages from an HL7v2 store to
Cloud Storage, the service account requires the
storage.objects.create
,storage.objects.delete
, andstorage.objects.list
permissions, which are included in thestorage.objectCreator
role.
Importing HL7v2 messages from Cloud Storage
You can use Google Cloud console or the gcloud CLI to add the requiredstorage.objectViewer
role to your project's service
account.
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page in Google Cloud console, verify that the role
Healthcare Service Agent appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the Storage Object Viewer role.
- Select the role and then click Save. The
storage.objectViewer
role is then added to the service account.
gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/storage.objectViewer
Exporting HL7v2 messages to Cloud Storage
You can use Google Cloud console or the gcloud CLI to add the
required storage.objectCreator
role to your project's service account:
- Make sure that you have enabled the Cloud Healthcare API.
- On the IAM page
in Google Cloud console, verify that the role Healthcare Service Agent
appears in the Role column for the Cloud Healthcare Service Agent
service account.
The service account identifier is
service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com
. - In the Inheritance column that matches the role, click the pencil icon. The Edit permissions pane opens.
- Click Add another role and then search for the Storage Object Creator role.
- Select the role and then click Save. The
storage.objectCreator
role is then added to the service account.
To add the service account permissions, run the gcloud projects add-iam-policy-binding
command. To find the PROJECT_ID and PROJECT_NUMBER,
see Identifying projects.
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com \ --role=roles/storage.objectCreator