This page describes how to use Identity and Access Management (IAM) roles in ingress and egress rules to allow access to resources protected by service perimeters.
VPC Service Controls uses ingress and egress rules to allow access to and from the resources and clients protected by service perimeters. Optionally, you can constrain your ingress and egress rules using IAM roles. When you specify an IAM role in a rule, the rule only allows actions associated with the permissions that are part of the IAM role.
Before you begin
Read about ingress and egress rules.
If you want to use a custom role in the ingress and egress rules, make sure that you have the required permissions.
Configure IAM roles in ingress rules
Console
When you update an ingress policy of a service perimeter or set an ingress policy during perimeter creation using the Google Cloud console, you can configure the ingress rule to use IAM roles:
When you create a perimeter or edit a perimeter in the Google Cloud console, select Ingress policy.
In the Ingress rules pane, select an existing ingress rule or click Add an ingress rule.
In the To section of your ingress policy, select Select IAM roles (Preview) from the Operations or IAM roles list.
Click Add IAM roles.
In the Add IAM roles pane, select the IAM roles that you want to allow.
For information about the supported services and roles, see Supported products.
Click Add selected IAM roles.
Click Done.
For information about the other ingress rule attributes, see Ingress rules reference.
gcloud
You can configure an ingress rule to use IAM roles using a JSON file or a YAML file. The following sample uses the YAML format:
- ingressFrom:
identityType: ANY_IDENTITY | ANY_USER_ACCOUNT | ANY_SERVICE_ACCOUNT
*OR*
identities:
- PRINCIPAL_IDENTIFIER
sources:
- resource: RESOURCE
*OR*
- accessLevel: ACCESS_LEVEL
ingressTo:
operations:
- serviceName: SERVICE_NAME
methodSelectors:
- method: METHOD_NAME
*OR*
roles:
- ROLE_NAME
resources:
- projects/PROJECT_NUMBER
Replace ROLE_NAME
with the IAM roles
that define the scope of access for the services specified in the rule.
Specify a single role or a combination of roles that include all the
permissions required to access the services. To specify a role, use the role
name formats mentioned in Role components,
except the following format: projects/PROJECT_ID/roles/IDENTIFIER
.
For information about the supported services and roles, see Supported products.
For information about the other ingress rule attributes, see Ingress rules reference.
After you update an existing ingress rule to configure IAM roles, you need to update the rule policies of the service perimeter:
gcloud access-context-manager perimeters update PERIMETER_ID --set-ingress-policies=RULE_POLICY.yaml
Replace the following:
PERIMETER_ID
: the ID of the service perimeter that you want to update.RULE_POLICY
: the path of the modified ingress rule file.
For more information, see Updating ingress and egress policies for a service perimeter.
Configure IAM roles in egress rules
Console
When you update an egress policy of a service perimeter or set an egress policy during perimeter creation using the Google Cloud console, you can configure the egress rule to use IAM roles:
When you create a perimeter or edit a perimeter in the Google Cloud console, select Egress policy.
In the Egress rules pane, select an existing egress rule or click Add an egress rule.
In the To section of your egress policy, select Select IAM roles (Preview) from the Operations or IAM roles list.
Click Add IAM roles.
In the Add IAM roles pane, select the IAM roles that you want to allow.
For information about the supported services and roles, see Supported products.
Click Add selected IAM roles.
Click Done.
For information about the other egress rule attributes, see Egress rules reference.
gcloud
You can configure an egress rule to use IAM roles using a JSON file or a YAML file. The following sample uses the YAML format:
- egressTo:
operations:
- serviceName: SERVICE_NAME
methodSelectors:
- method: METHOD_NAME
*OR*
roles:
- ROLE_NAME
resources:
- projects/PROJECT_NUMBER
egressFrom:
identityType: ANY_IDENTITY | ANY_USER_ACCOUNT | ANY_SERVICE_ACCOUNT
*OR*
identities:
- PRINCIPAL_IDENTIFIER
sources:
- resource: RESOURCE
*OR*
- accessLevel: ACCESS_LEVEL
sourceRestriction: RESTRICTION_STATUS
Replace ROLE_NAME
with the IAM roles
that define the scope of access for the services specified in the rule.
Specify a single role or a combination of roles that include all the
permissions required to access the services. To specify a role, use the role
name formats mentioned in Role components,
except the following format: projects/PROJECT_ID/roles/IDENTIFIER
.
For information about the supported services and roles, see Supported products.
For information about the other egress rule attributes, see Egress rules reference.
After you update an existing egress rule to configure IAM roles, you need to update the rule policies of the service perimeter:
gcloud access-context-manager perimeters update PERIMETER_ID --set-egress-policies=RULE_POLICY.yaml
Replace the following:
PERIMETER_ID
: the ID of the service perimeter that you want to update.RULE_POLICY
: the path of the modified egress rule file.
For more information, see Updating ingress and egress policies for a service perimeter.
Supported products
You can use the IAM roles of the following Google Cloud services in the ingress and egress rules:
Product | Limitations |
---|---|
Artifact Registryartifactregistry.googleapis.com |
|
BigQuerybigquery.googleapis.com |
|
BigQuery Data Transfer Servicebigquerydatatransfer.googleapis.com |
|
Bigtablebigtable.googleapis.com |
|
Binary Authorizationbinaryauthorization.googleapis.com |
|
Cloud Composercomposer.googleapis.com |
|
Cloud Key Management Servicecloudkms.googleapis.com |
|
Cloud Logginglogging.googleapis.com |
|
Cloud Monitoringmonitoring.googleapis.com |
|
Cloud Runrun.googleapis.com |
|
Cloud Run functionscloudfunctions.googleapis.com |
|
Cloud SQLsqladmin.googleapis.com |
|
Cloud Storagestorage.googleapis.com |
|
Compute Enginecompute.googleapis.com |
|
Dataflowdataflow.googleapis.com |
|
Dataprocdataproc.googleapis.com |
|
Google Kubernetes Enginecontainer.googleapis.com |
|
Identity and Access Managementiam.googleapis.com |
|
Pub/Subpubsub.googleapis.com |
|
Resource Managercloudresourcemanager.googleapis.com |
|
Secret Managersecretmanager.googleapis.com |
|
Spannerspanner.googleapis.com |
|
For the list of predefined IAM roles of these services that you can use in the ingress and egress rules, see Predefined roles.
However, there are a few IAM roles in these services that are either partially supported or not supported for use in the ingress and egress rules, because some or all of the underlying permissions are not supported:
Using a partially supported IAM role in an ingress or egress rule makes the rule ineffective for requests or actions specific to the underlying unsupported permissions.
For the list of partially supported roles and the associated unsupported permissions, see Partially supported IAM roles.
Using an unsupported IAM role in an ingress or egress rule makes the rule ineffective.
For the list of unsupported roles, see Unsupported IAM roles.
If you want to use a custom role in the ingress and egress rules, make sure that the custom role contains only the supported permissions that are part of the supported services. For the list of unsupported permissions for the supported services, see Partially supported IAM roles and Unsupported IAM roles.
You can't use custom roles that you have created at the project level. In other
words, you can't use a custom role that is in the following format: projects/PROJECT_ID/roles/IDENTIFIER
.
Partially supported IAM roles
The following table lists the partially supported IAM roles from specific services:
Product | Partially supported roles | Unsupported permissions |
---|---|---|
Cloud SQL |
|
|
|
|
|
Cloud Storage |
|
|
Identity and Access Management |
|
|
Resource Manager |
|
|
|
|
|
|
|
|
Spanner |
|
|
Other partially supported roles |
|
|
Unsupported IAM roles
The following table lists the unsupported IAM roles from specific services:
Product | Unsupported roles |
---|---|
Identity and Access Management |
|
Limitations
You can't use a role-based ingress or egress rule to allow requests to set the IAM allow policy of a project across the perimeter boundary.
If you encounter issues with loading the editing page for services in the Google Cloud console due to VPC Service Controls restrictions, using IAM roles in ingress rules might not resolve the issue. This limitation doesn't affect the view-only page for these services.
When a request involves multiple resource types from different projects, the ingress or egress rule that uses IAM roles might not work. For example, when you launch a Dataflow template that reads text from Cloud Storage in a different project.
If you delete a custom role after you have referenced the role in a perimeter's ingress or egress rule, the perimeter becomes uneditable.