Access control with IAM

To limit access for users within a project or organization, you can use Identity and Access Management (IAM) roles for BigQuery Engine for Apache Flink. Instead of granting users the Viewer, Editor, or Owner role to the entire Google Cloud project, you can control access to BigQuery Engine for Apache Flink-related resources.

This page focuses on how to use BigQuery Engine for Apache Flink's IAM roles. For a detailed description of IAM and its features, see the IAM documentation.

Every BigQuery Engine for Apache Flink method requires the caller to have the necessary permissions. For a list of the permissions and roles BigQuery Engine for Apache Flink supports, see the Predefined roles section of this page.

Types of roles

Similar to other Google Cloud products, BigQuery Engine for Apache Flink supports three types of roles:

  • Basic roles: Basic roles are highly permissive roles that existed prior to the introduction of IAM. You can use basic roles to grant principals broad access to Google Cloud resources. In production environments, don't grant basic roles when you have an alternative. Instead, grant the most limited predefined roles that meet your needs, or create custom roles. For more information about basic roles, see Basic roles.

  • Predefined roles: Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services. For more information about predefined roles, see Predefined roles. The BigQuery Engine for Apache Flink predefined roles are included in this page.

  • Custom roles: Custom roles help you enforce the principle of least privilege, because they ensure that the principals in your organization have only the permissions that they need. Allow only a small number of highly trusted principals to edit custom roles. If a principal can edit custom roles in a project or organization, they can add any permission to any custom role in that project or organization. When you grant any custom role to the principal, they can use the custom role to get unlimited access. For more information about custom roles, see Custom roles.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permissions
managedflink.deployments.create managedflink.deployments.create
managedflink.deployments.update managedflink.deployments.update
managedflink.deployments.delete managedflink.deployments.delete
managedflink.deployments.list managedflink.deployments.list
managedflink.deployments.get managedflink.deployments.get
managedflink.jobs.create managedflink.jobs.create
managedflink.jobs.update managedflink.jobs.update
managedflink.jobs.delete managedflink.jobs.delete
managedflink.jobs.list managedflink.jobs.list
managedflink.jobs.get managedflink.jobs.get
managedflink.locations.list managedflink.locations.list
managedflink.locations.get managedflink.locations.get
managedflink.operations.cancel managedflink.operations.cancel
managedflink.operations.delete managedflink.operations.delete
managedflink.operations.list managedflink.operations.list
managedflink.operations.get managedflink.operations.get
managedflink.sessions.create managedflink.sessions.create
managedflink.sessions.update managedflink.sessions.update
managedflink.sessions.delete managedflink.sessions.delete
managedflink.sessions.list managedflink.sessions.list
managedflink.sessions.get managedflink.sessions.get

Predefined roles

The following table lists the BigQuery Engine for Apache Flink IAM predefined roles with the list of BigQuery Engine for Apache Flink-related permissions that each role includes. Every permission is applicable to a particular resource type. For a list of permissions, see the Roles page in the Google Cloud console.

Role Description Permissions
Managed Flink Admin
roles/managedflink.admin		 Full access to BigQuery Engine for Apache Flink resources. This role includes the following permissions:
  • managedflink.operations.delete
  • managedflink.operations.cancel
  • managedflink.deployments.create
  • managedflink.deployments.update
  • managedflink.deployments.delete
  • managedflink.jobs.create
  • managedflink.jobs.update
  • managedflink.jobs.delete
  • managedflink.sessions.create
  • managedflink.sessions.update
  • managedflink.sessions.delete
This role includes the following roles:
  • roles/managedflink.viewer
Managed Flink Developer
roles/managedflink.developer		 Full access to BigQuery Engine for Apache Flink jobs and read access to deployments. This role includes the following permissions:
  • managedflink.jobs.create
  • managedflink.jobs.update
  • managedflink.jobs.delete
  • managedflink.sessions.create
  • managedflink.sessions.update
  • managedflink.sessions.delete
This role includes the following roles:
  • roles/managedflink.viewer
Managed Flink Viewer
roles/managedflink.viewer		 Read-only access to BigQuery Engine for Apache Flink resources. This role includes the following permissions:
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • managedflink.operations.list
  • managedflink.operations.get
  • managedflink.locations.list
  • managedflink.locations.get
  • managedflink.deployments.list
  • managedflink.deployments.get
  • managedflink.jobs.list
  • managedflink.jobs.get
  • managedflink.sessions.list
  • managedflink.sessions.get

Create deployments and jobs

To create a deployment, the roles/managedflink.admin role includes the minimal set of permissions required to run and examine deployments. You also need to enable the Compute Engine API to create deployments.

To create a job, the roles/managedflink.developer role includes the minimal set of permissions required to run and examine jobs.

Assign roles

To manage roles at the organizational level, see Access control for organizations using IAM.

To set project-level roles, see Granting, changing, and revoking access to resources.